New Worm Uses BitTorrent

Thursday, October 20, 2016 @ 04:10 PM gHale

There is a new worm designed to target Internet of Things (IoT) devices.

In a move to capture a Mirai sample, researchers at Rapidity Networks set up honeypots and, instead, found a new IoT worm that is similar.

Sierra Wireless Mitigations Against Mirai
Botnet Hunts for IoT Devices
Switch in Malware Distribution
3 Botnets Unite in Huge DDoS Attack

Since “Mirai” is the Japanese word for “future,” Rapidity Networks decided to name the new piece of malware “Hajime,” which in Japanese can mean “beginning.”

Rapidity Networks found the first sample October 5, but the timestamp of a configuration file suggests the threat has been around since at least September 26. In addition, one of the libraries used by the malware is dated before 2013, which researchers said could indicate Hajime has been in development for several years.

Similar to Mirai, Hajime scans the Internet in search of devices running the Telnet service and attempts to access them using a predefined list of common username and password combinations.

Hajime uses a decentralized, peer-to-peer (P2P) network to receive updates and configuration files.

Rapidity said the worm uses BitTorrent’s DHT (Distributed Hash Tables) protocol for peer discovery and the uTorrent Transport Protocol (uTP) for data exchanges.

“For information exchange, Hajime piggybacks on BitTorrent’s DHT overlay network,” said Sam Edwards and Loannis Profetis, researchers said in a blog post. “To transfer files with its peers, Hajime uses the uTP implementation found in libutp. Hajime downloads files in a custom format which often contain payloads compressed with the LZ4 algorithm, and thus includes the decompression function from the LZ4 project.”

Rapidity Networks has only spotted one Hajime module, which the worm uses to spread from one device to another. The purpose of the botnet remains unclear, but experts believe it can end up used for DDoS attacks, as a distribution platform for other payloads, or to steal sensitive data from other machines housed by the same network as the Hajime-infected device.

“Malicious actors typically use botnets like these to perpetrate distributed denial of service (DDoS) attacks against internet hosts, flooding them with an overwhelming barrage of traffic until the host goes offline,” said Edwards and Profetis. “It is likely that Hajime’s author ultimately intends to weaponize Hajime in this way and monetize on selling DDoS services to clients. The author could also monetize on a botnet of this scale by using it as a distribution platform for other payloads, selling “deployment services” for future botnets.”

Leave a Reply

You must be logged in to post a comment.