Mirai, the IoT botnet responsible for record-breaking DDoS attacks last year, has taken a hit. Thanks in part to what appear to be ‘vigilante worms’, which are either taking over or taking down the IoT devices that make up Mirai’s massive network. While these worms might have been effective in disrupting Mirai’s operations, are vigilante worms really the solution to the IoT botnet epidemic?
So far, cyber security researchers have identified two worms that appear to be the handiwork of vigilantes: Hajime and Brickerbot. The former seems to be taking over IoT devices targeted by Mirai, while the latter goes a step farther, rendering the devices unusable.
There’s no doubt Mirai and its ilk are serious threats to business. They already crippled several high-traffic websites and cloud-based services like Amazon, CNN, Netflix, Twitter, and The New York Times in a single DDoS event which rendered them unavailable to a large part of the United States and Europe.
There’s also no question that most IoT devices are widely vulnerable to hacking. When you combine the severity of the IoT botnet threat with the vulnerability and proliferation of IoT devices, it’s easy to see how serious the risk is. While something must be done to mitigate this risk, should that include acts of vigilantism?
Before tackling this question, it is important to know what we’re dealing with.
Characteristics of the Hajime worm
Like Mirai, Hajime is a worm, meaning it’s capable of infecting a device and then spreading to other devices in the network without any human intervention. Like Mirai, Hajime also targets IoT devices. It penetrates them by scanning open Telnet ports and then breaking in using default factory passwords.
Hajime has a couple of other features that’s supposed to make it more effective than Mirai. For example, instead of using a centralized C&C (Command-and-Control) server for sending commands to its bots, Hajime uses a P2P (peer-to-peer) architecture. In this architecture, the bots themselves also serve as C&Cs.
To take down a botnet, you need to chop off its head by severing the C&C channel. Thus, Hajime’s network is more resilient than Mirai’s because it consists of multiple C&Cs (i.e., multiple heads to chop off) while the latter may only have one or two of them.
The Hajime botnet is constantly evolving, with the authors adding new features to make it even more stealthy and resilient as well as more effective at breaking into IoT devices.
Malware researchers believe it now has three attack methods. The first method can exploit an Arris cable modem’s password-of-the-day, a relatively old remote backdoor that’s been used since 2009. The second is the Telnet default password attack, which is just like the one employed by Mirai. And the third is the TR-069 exploit, a relatively new attack that exploits the TR-069 standard which ISPs use to manage modems remotely.
Once it’s able to break into a device, Hajime tries to conceal its activities by hiding its running processes and accompanying files. It also enables attackers to open a remote shell over which they can issue commands.
With all these advanced features, you’d think Hajime would be all set to claim Mirai’s turf. It could, but strangely, the authors of Hajime don’t seem interested in doing that. Unlike Mirai, Hajime’s not equipped with DDoS (Distributed Denial-of-Service) capabilities. In fact, in its current form, it doesn’t seem to have any capabilities for attacking other systems (except of course the IoT devices it ensnares).
Instead, it simply seems to be preventing Mirai from carrying out its plans. Hajime does so by blocking ports 23, 7547, 5555, and 5358 – the very same ports normally exploited by Mirai. While those ports are blocked, Mirai is unable to break into the device.
According to researchers, Hajime displays a cryptographically signed message on the terminals (if there are any) of ensnared devices. The message goes states: “Just a white hat, securing some systems. Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!”
Hajime does have a few weaknesses though. Like Mirai, Hajime only gets loaded in the device’s RAM. Thus, it lacks a persistence mechanism that would allow it to stay in the device indefinitely. As soon as the device is rebooted, it would automatically be free from the Hajime infection and those blocked ports would be open (and vulnerable to either a Mirai or Hajime infection) once again.
Hajime’s not the only computer worm out to spoil Mirai’s party. There’s one more, and it’s called Brickerbot.
Like Hajime, Brickerbot is another vigilante worm that breaks into IoT devices by exploiting default passwords. Unlike Hajime however, which only blocks ports targeted by Mirai upon infection, Brickerbot takes a more radical approach; it bricks every IoT device it infects.
More specifically, Brickerbot wipes the device clean and disconnects it from the Internet. As soon as you reboot the device or do a factory reset, you’ll realize it’s already been bricked. Naturally, a bricked IoT device can no longer be infected. It’s a rather cruel way of countering the Mirai epidemic and the author of Brickerbot knows it, calling his/her approach a form of “Internet Chemotherapy”.
Chemotherapy, which is commonly used for treating cancer patients, destroys not only cancer cells, but also good cells. Janit0r, (the name used by Brickerbot’s author) thinks the ubiquity of vulnerable IoT devices and the risk they pose (i.e. massive DDoS attacks) is a critical issue that “couldn’t be solved quickly enough by conventional means.” and therefore requires a radical treatment.
It takes a worm to stop a worm?
A computer worm like Mirai spreads from one device to another on its own. It doesn’t require a human being to install, download, or copy it. For this reason, a large number of devices can be infected by Mirai in a short period of time. And if you’re talking about IoT devices, that number can easily reach millions.
With such a high infection rate, any undertaking for stopping this malware that relies on manual methods will surely prove futile. That’s why the authors of Hajime and Brickerbot are taking this path. They obviously think, in order to stop a worm, you need a solution with worm-link capabilities.
Understanding the risks of relying on vigilante worms
First of all, we must remember that these worms are developed by human beings. People are fickle. What starts with noble intentions may develop into something else.
Because Hajime and Brickerbot already have the ability to break into IoT devices, propagate, and lock down its victims, just a small update would be needed for them carry out more sinister acts if their authors eventually decide to turn to the dark side.
These newly weaponized botnets could then be used to launch DDoS attacks or infect and brick IoT-enabled critical devices such as medical equipment. Many of the infected devices are cameras which could lead to espionage or voyeurism.
Even if these worms’ developers maintain their do-good profile, several threat actors could take interest in these projects. If malicious individuals are able to hijack these worms, they could then be weaponized.
Let’s also not forget the fact that, certain vigilante worms – like Brickerbot – have the tendency to inflict disproportionate punishment or unwarranted collateral damage. These worms are supposed to punish IoT device manufacturers for failing to build secure devices, but these worms are in fact destroying other people’s property. Two wrongs still don’t make a right.
Nevertheless, the emergence of Mirai, Hajime and Brickerbot should serve as a wake up call to the manufacturers of IoT devices. The vulnerabilities on these devices pose a serious threat not only to the potential victims of DDoS attacks, but also to the owners of these devices who may be collateral damage to acts of cyber vigilantism.