[ARTICLE] IoT botnets assessment : Hajime, BrickerBot (June 2017)

What if the newly installed connected camera in your house managed to start sending heavy network traffic towards a target with the objective of flooding it until turning it off-line?
It may seem abnormal, but this is just what happened when multiple Distributed Denial Of Service (DDoS) attacks with an unprecedented severity were carried out by botnets of compromised IoT devices, a phenomena that marked the last quarters of 2016.

The conventional vulnerable computers, that used to shape those cyber armies, have given way to their successors: insecure IoT devices delivered by their manufacturers with little or no security. It seems like we have entered a new age when the emerging connected objects, highly appreciated for their lack of security and their ease of takeover, have become the new favorite cyber weapon of attackers. This dives the world of cyber-criminals into a raging battle opposing different families of worms that fight for control of the overly exposed and vulnerable IoT devices, with the goal of enrolling them into their respective botnets.

On September 2016, KrebsOnSecurity and OVH servers are flooded by a massive traffic launched by a botnet of infected IoT devices. While KrebsOnSecurity goes off-line, OVH faces some slowdowns. At the origin of the attack lies a new worm that gives rise to controversy and raises concerns amongst a lot of people: the Mirai worm. A month later, users couldn’t access multiple sites as Reddit, GitHub, Twitter, Airbnb, etc. Mirai struck again. This time it attacked the American DNS server provider DynDNS, widely used by the Internet giants.

On September the 30th 2016, the author of the worm, bearing the pseudonym of “Anna-sempai”, disclosed Mirai’s code on HackForum site, which caused the deployment of several forks of the worm that soon started targeting different sites in order to endanger their availability. Analysis upon Mirai’s source code revealed that the worm targets vulnerable IoT devices and spreads by continuously running network scans looking for connected objects running an open telnet service with factory-set logins and passwords. Vulnerable devices are then turned into zombie machines, enrolled in a large botnet, in which they communicate with a Command&Control server (C&C) that can initiate Distributed Denial Of Service attacks.

The attack launched on September the 20th 2016 by Mirai’s botnet against KrebsOnSecurity website recorded an amount of traffic reaching 620 GB per second with more than 380 000 infected IoT devices. These new records caught the attention of several individuals among the security field. Amongst them are some security researchers from Rapidity Networks that wanted to get a sample of the worm in order to get a deeper insight into Mirai while in full action, and dissect its inner workings. Using a honeypot of vulnerable IoT devices they waited for a potential attack of Mirai. Regarding its fast deployment it was only a matter of time before the worm broke into the honeypot.

On October the 5th of the same year, something seemed to have taken the bait: a suspicious activity within the honeypot was reported of a node performing network scans. At first sight, the retrieved sample appeared to be one of Mirai’s forks due to their common vector attack, but further analysis has brought to the discovery of a much sophisticated worm whose goals remain unidentified. Regarding the significant number of worms emerging since the disclosure of Mirai’s source code, researchers formulated a hypothesis stating that the new discovery embeds some of Mirai’s code, at least for the worm’s discovery phase. But later, this have been proven wrong as the new worm began its deployment a few days before the disclosure of Mirai’s code. As a result, and in order to keep the correlation between the two worms, they dubbed it « Hajime », the japanese translation for « beginning » in contrast with Mirai, which means « future » in Japanese.

What is Hajime?

Hajime is a multi-platformed worm targeting vulnerable IoT devices, which includes CCTV and routers among others, running a telnet service with factory-set identifiers. Hajime and Mirai coincide in their discovery phase, as the two worms proceed to a network scan of large ranges of IPv4 addresses over the Internet looking for IoT devices with an open telnet service. Then both worms use hard-coded lists containing constructor-set default identifiers to launch brute-force attacks against the discovered telnet service. Despite their common discovery phase, a slight difference was observed in the way each worm brute-forces its target: while Mirai randomly tries combinations from the list, Hajime takes into account the displayed telnet banner before trying sequentially the combinations, thus reducing the time of a successful authentication.

Moreover, by adding two more combinations ‘root/5up’ and ‘Admin/5up’ to its brute-force list, Hajime enlarges its targets scope to unprotected Atheros routers. The brute-force ends upon successful authentication to the service. This doesn’t only end the first stage of the infection, but the outlined similarities between Hajime and Mirai as well.

Hajime’s sophistication remains in its infection phase:

Once on the infected device, it checks the header of the binary (/bin/echo) in order to verify the processor’s architecture. Depending on the processor, it uploads and executes a small-sized first stager on the compromised device. Often called the “downloader”, this first program, written specifically for the platform, connects back to the attacking node from where it retrieves a larger second program. The second binary joins a peer-2-peer decentralized network where it downloads specific payloads depending on the processor of the infected device. These modules consist mainly of configuration files and a scanning program.

The life-cycle of the worm reaches its end when the new infected device becomes henceforth a bot from the P2P network that starts scanning Internet for new IoT devices to attack. Hajime uses the BitTorrent DHT protocol for its peer discovery and the uTP protocol for data exchange with the peers. According to researchers Hajime’s code doesn’t contain any attacking payload intended for Denial Of Service attacks. The worm, instead, appears to block access to Mirai and its forks by closing the ports 23, 7547, 5555 and 5358 on the device.

Is Hajime the new Mirai’s antidote?

Often described as the “Dark-Knight” or the “Vigilante”, there is a widespread assumption that Hajime might be the rising force that will neutralize the threatening enemy Mirai. But when it comes to the reasons that motivated the implementation of the new worm, a lot of questions remain unanswered. Because if Hajime seems to secure the vulnerable IoT devices from a potential Mirai’s infection, it also leaves its own backdoors on the compromised device, like opening the port TCP 4636 over which the second program of the worm is always downloaded.

Note that at the end of the worm’s life-cycle, the recently infected device becomes in its turn an attacking node within the P2P network that looks for new embedded vulnerable devices to enroll. Even if no attack lead by the Hajime botnet was recorded until now, its ever-growing network and its fast propagation raise some important concerns. According to Karspersky, the worm infected more than 300 000 devices.

Hajime’s author: script-kiddies or security experts?

The published report by RapidityNetworks presents a technical analysis of the retrieved sample in order to measure the expertise of Hajime’s authors and to identify the threat, if there is one.

The program was dis-obfuscated and reverse-engineered by the researchers for a further analysis. The discovery of an error within the assembly code, that no compiler would make, has demonstrated that the code was entirely written in the assembly language for each platform the malware is capable of infecting. This includes: ARMv5, ARMv7, MIPS, Little-Endian and Intel x86-64. In addition to the sophistication of its peer-2-peer network, all communications within the network are encrypted and signed with RC4 and private/public keys. These findings confirm the expert level of the organization behind the worm and the important amount of time spent on Hajime’s conception and implementation.

What are the intentions of Hajime’s author?

No information could identify Hajime’s author who likes to call himself a white hat. Since the publication of RapidityNetworks’ report, the author adopted the name given to its worm by the researchers: Every 10 minutes, the infected machines started displaying on the console a message signed “Hajime Auhor”. Furthermore, the errors raised in the security report were taken into account and corrected by the author. The idea that security professionals are helping a malware’s author to improve the conception and implementation of its worm could be scary.

Could Hajime be an offensive botnet?

Several elements can support the hypothesis of a potential massive attack launched by Hajime’s botnet.

Stealthiness:

In its infection phase, the worm tries to be as stealthy as possible, hiding its running processes and files downloaded on the disk of the compromised IoT device. However after the publication of RapidityNetworks’ report, the message quoted above started to be displayed on the infected machines, thus canceling out all the stealthiness efforts put in place in the infection phase. This brings back to question whether Hajime was planned to show itself from the beginning, or if there has been a change of mind of the author after detection of the worm.

Peer-2-Peer distributed network:

The design of a peer-2-peer network distinguishes Hajime among others and put the worm ahead. Usually, the botnet zombies communicate with a Command&Control server that sends the instructions to the enslaved bots.

The DDoS attacks launched by botnets with such architecture can be taken down by taking off-line the Command&Control server: in Mirai’s case this IP address is hard-coded in the worm.

But when it comes to Hajime there is no unique address of a C&C. Regarding its distributed P2P network each node acts as a server and a client at the same time. When new instructions arrive, they spread through the botnet from one node to another. Waylon Grange, a Symantec researcher states «this is typically considered a more robust design as it makes takedowns more difficult. ».

Modularity of the code:

Hajime’s code is also modular which allows the authors to add new features as he will. Since the publication of RapidityNetworks’ first report on October 2016, two attack modules were added to its code.

Hajime is no longer infecting devices through brute-force attacks towards the telnet service only, but the worm now exploits some vulnerabilities in the TR-069 protocol, used by ISPs for modems’ remote control. This protocol uses the TCP ports 7547 and 5555 and is vulnerable, in its NewNTPserver feature, to a flaw that allows attackers to remotely control the device. Hajime exploits this vulnerability to enroll new devices into its botnet. The second added module targets Arris cable modems. The attack exploits a non-documented library used in the modems. Acting as a backdoor, it allows a privileged access on the device. Although this vulnerability was published in 2009 the manufacturer never proposed a fix.

Among other worms, Hajime stands out for its deployment’s sophistication and its code flexibility. Able to spread rapidly on different processor’s architectures, it has the capacity to add new features on the fly. The two added infection modules highlight that its code is still maintained, improved, and that it tends to add more vulnerable devices to its target panel. These factors combined could lead to believe that the actual version of the worm, as its name means ironically, could be only the beginning. As the malware might be in its deployment phase, targeting more devices and enlarging its network for the moment, before developping new attack modules designed to launch massive attacks or perform surveillance.

White malwares?

Hajime is not the only worm in its category claiming to be ethical, BrickerBot another malware family discovered in Radware’s honeypot uses the same attack vector as Hajime and Mirai, and is pretending to work for the good of Internet. Its goal, however, seems to be different than Hajime: after the infection, BrickerBot destroys the IoT device, thus reducing the risk of its potential compromise by other worms that would transform it into a cyber-weapon.

This type of attack, called Permanent Denial Of Service (PdoS) or phlashing, aims at damaging the system in a manner that it forces a re-installation or a hardware replacement. In April 2017, the author bearing the pseudonym “Janit0r” posted a message in Hacks Forum, dispelling the rumors that state the disclosure of BrickerBot’s source code. He also mentioned that his worm doesn’t exploit any 0-day vulnerability.

Who is Janit0r?

Convinced that there are other ways of dealing with Mirai than destroying the vulnerable IoT devices, researchers from BleepingComputer called Janit0r to come out of the shadows.
By responding to their call, Janit0r wrote an email to the firm voicing his discontent towards the poor level of security in the IoT devices that played an important role in the significant amount of DDoS attacks lead in the last months of 2016.

The author seems to be appalled, in his email, by the significant amount of vulnerable IoT devices infected by BrickerBot. This number reached 2 million, according to Janit0r, a number that highlights the staggering amount of IoT devices supplied by manufacturers with little to no security at all.

He explained that contrary to what Radware firm states about BrickerBot, the worm’s primary purpose is not to “brick” or destroy the vulnerable devices, but to secure them above all. According to him, the phlashing is adopted only as a plan B.

However, the researchers have observed that within Radware’s honeypot the worm moves directly to plan B, thus destroying the device.

Janit0r added that as long as IoT manufacturers look down on the security of their ready-to-use products and as long as security standards are not respected by the constructors he doesn’t plan on stopping his attacks,that he considers to be a chemotherapy destroying the fast multiplying and deficient cells of a cancer affecting Internet since the end of 2016.

Conclusion

Even if they differ in their manner of operating, as BrickerBot destroys the vulnerable device while Hajime seems to limit its attack surface, both authors consider themselves as ethical. But this assumption turns out to be wrong: both worms remain in the category of malwares just like Mirai. Legally, neither is legitimate as Hajime and BrickerBot infect IoT devices without a prior consent of their owners.

Though in the case of BrickerBot the purpose of the worm is pretty clear, the reasons lying behind the deployment of Hajime’s botnet remain a mystery.
This raises some questions: does Hajime, as its name states, mark the start of a new era where white-hats are one step ahead of black-hats, or rather in the opposite, the worm would be announcing the early stages of future massive attacks? IoT devices have become the new battlefield of cyber-criminals, as their popularity keeps increasing among the attackers for their lack of security. Owners of IoT devices, whether professionals or residential customers, must change the default passwords, as well as turn off telnet, SSH, or any other non-used service within their devices.

But above of all, IoT manufacturers are the ones that bear the prime responsibility for delivering vulnerable IoT devices serving a large attack surface. Strong measures must be applied when it comes to controlling those new cyber weapons that threaten Internet.