Kaspersky: Hajime botnet captures 300,000 routers, webcams and video recorder

researchers at Kaspersky Lab have an IoT worm investigated who apparently has since autumn 2016 in circulation. Since then, the Hajime has (Japanese: beginning) called pest added to almost 300,000 Internet-enabled devices to a P2P botnet. The purpose of the botnet is not known. “

 botnet warning label in the past few months Hajime to have evolved steadily. According to the analysis, the backers added new functions or they removed. Also they exploit the bad part security of devices such as webcams, routers and digital video recorders IoT .

access to the devices in question get the hackers default Telnet and device password. Specifically they do among other things against the provider of ARRIS cable modems. An attack on a security flaw in the data exchange protocol, TR-069, which is used for remote maintenance of devices at the customer is new. Affected routers and modems are vulnerable to the injection and execution of malicious code from a distance.

in General Hajime aimed against any Internet-enabled devices. In the case of Telnet attacks a routine, which checks the welcome message of the remote device to increase the success rate. It contains specific words such as names of manufacturers or model names, certain combinations of username and password are sent via brute force to get a Telnet access.

reports on a Telnet request a device of manufacturer of Arri, take the hacker a vulnerability known since 2009 in the visor. Called the “password of the day” vulnerability is based on the ability to guess a daily new generated password. Some Internet service providers have not closed this gap until today.

with a honeypot researchers registered also within 24 hours alone 2593 successful Hajime attacks via Telnet. The most (20,04%) is directed against users in Vietnam, followed by Taiwan, Brazil, Turkey, Korea and India. Overall, they found 297.499 unique infected hosts, who requested a configuration file for Hajime. 58.465 hosts were located based on their IP address in Iran, 26.188 in Brazil and 23.418 in Vietnam. The other courses followed by Russia, Turkey, India, Pakistan and Italy.

“the most fascinating thing about Hajime is its purpose however. Although the botnet is getting bigger and bigger, in part by new attack module, its purpose remains unknown. We have seen no attacks or malicious activity”, according to the Kaspersky blog. “And perhaps that will not happen also.”

the researchers establish their guess with a message that displays Hajime, once a new configuration file has been downloaded. It says: “only a white hat which secures some systems. Important messages be signed like this. Hajime author.”

whether the message is trustworthy or not, remains to be seen according to Kaspersky. Nevertheless, the company advises users of IoT devices to only use passwords that will not cracked by brute force can change the default password and if possible to update the device software.

Radware indicates that the botnet independently could be used purposes by the motives of its backers also for criminals. A vulnerability in Hajime had recently been closed, it would have allowed third parties to take over control of the botnet. As Hajime was extremely flexible and expandable, it is also a very attractive target for competing hackers.

WEBINAR

what next – BB´s storage & co: the enterprise cloud!

get to know the building blocks of enterprise cloud platform in this audio Webinar. Learn how to achieve maximum freedom and flexibility for your applications. More outcome achieved with less input – specific application examples.

[withmaterialbyZackWhittaker ZDNet.com ]

tip : you know the most famous hacker? Check your knowledge – with 15 questions on silicon.de.

Be the first to comment

Leave a Reply