Is a vigilante hacker trying to secure your IoT device from malware? The mysterious developer behind a growing computer worm wants people to think so.
The worm, known as Hajime, has infected tens of thousands of easy-to-hack products such as DVRs, internet cameras, and routers. However, the program so far hasn’t done anything malicious.
Instead, the worm has been preventing a notorious malware known as Mirai from infecting the same devices. It’s also been carrying a message written from its developer.
“Just a white hat, securing some systems,” the message reads. “Stay sharp!”
Security firm Symantec posted about the new development on Tuesday and said the efforts from the so-called “white hat,” or ethical hacker, appear to be having an effect.
The worm has been competing against Mirai, another fast-spreading malware that had, at one point, been enslaving vulnerable IoT devices by the hundreds of thousands.
The purpose of Mirai was to create botnets—networks of infected computers that can be used for ill. In October, a Mirai botnet was blamed for launching a massive distributed denial-of-service attack that disrupted internet traffic across the U.S.
The rise of Mirai has raised questions about what the security industry can do stop it. The malware will continue to spread and harass, as long as the IoT devices it uses remain easy to hack.
Enter Hajime, which was first discovered in October. It’s been racing to infect some of the same devices Mirai has. Once it does, the worm will block access to certain ports on the IoT device, preventing other malware from exploiting them.
Owners of these Hajime-infected devices shouldn’t notice any disruption, said Waylon Grange, a security researcher at Symantec. “The protocols used by Hajime are designed not to degrade network performance,” he said.
Experts had already speculated that Hajime may have come from a vigilante hacker out to stop Mirai.
However, Symantec has found some possible proof. The company noticed that the computer worm has been leaving a message over infected devices since at least March, Grange said. That message has been digitally signed and fetched in a way that leaves little doubt it comes from Hajime’s developer.
The short message doesn’t reveal anything about the Hajime developer’s identity. But the vigilante hacker is aware the security community has been studying the Hajime worm.
One clue: The mysterious developer refers to himself or herself as the “Hajime author” in the message the worm has been leaving behind. However, it was actually security researchers at Rapidity Networks that came up with the name Hajime, which is Japanese for the term “beginning.”
In addition, the mysterious developer has been patching bugs in Hajime computer worm that researchers previously reported.
“The thought of security researchers inadvertently assisting malware authors is worrying,” Grange wrote in his blog post for Symantec.
So how concerned should we be about Hajime?
“On the one hand, I’d like Hajime to choke out Mirai,” Grange said. “But then, I don’t know what Hajime’s author would do then.”
Fortunately, the current form of Hajime isn’t built with malicious capabilities. But the fear is its developer will one day choose to modify the worm, to launch DDoS attacks or engage in other forms of cybercrime, Grange said.
Hajime also contains a feature that makes it hard to stop: The worm doesn’t take commands from a single server owned by its mysterious developer. Instead, it communicates over a peer-to-peer network. That means a whole host of devices infected with Hajime can be used to relay files or instructions to the rest of the group.
“If Hajime turned evil, it would be more difficult to deal with,” Grange said.
Symantec offered a modest estimate that puts Hajime’s size in the tens of thousands of infected devices. The company has found the worm spreading to Brazil, Iran, Thailand, and Russia, among other countries.