Hajime vs. Mirai, A Botnet Battle?

By MDL on April 21, 2017

The Hajime worm spreading through unsecured IoT devices seems to be purposely making them more secure.

Hajime vs Mirai

Last October, the Mirai botnet launched the largest ever distributed denial of service (DDoS) attacks against DNS provider Dyn, causing websites like Amazon, Twitter, and PayPal to be inaccessible for several hours across the US and Europe.

Like Mirai, Hajime was also first discovered in October of 2016. Like Mirai, Hajime illegally infects unsecured IoT devices like webcams, DVRs, routers, and web-connected baby monitors that use default passwords and have an open Telnet port. Although Hajime targets the same devices and even uses the same list of default usernames and passwords as Mirai, the distinction is that Hajime has not yet been used to cause any disruption or destruction even though it is estimated to have infected at least 10,000 devices with many infections in Brazil, Iran, Russia, Thailand, Turkey, Vietnam, China, Taiwan, Argentina, and Australia.

Other than the code it used to spread itself to vulnerable devices, Hajime does not include any other malicious code for launching attacks, including DDOS attacks, at this time. In fact, Hajime appears to be making the devices it infects more secure by closing ports known to be vulnerable on IoT devices like ports 23 (Telnet), 5358 (WSDAPI), 5555 (Oracle Web Center Content/Freeciv), and 7547(CWMP). With port 23 and other Mirai-targeted ports closed, Mirai cannot infect a device already controlled by Hajime.

Waylon Grange, senior Threat Researcher at Symantec, describes Hajime as “stealthier and more advanced in comparison to Mirai.” Marshall Web, CTO of BackConnect, a DDoS protection service, described Hajime as “Mirai on steroids” and estimates that the botnet may have infected up to 100,000 devices worldwide. For resilience, Hajime uses a peer-to-peer network to issue commands from infected device to infected device instead of the command and control (C&C) server style used by Mirai. This makes Hajime more difficult to block because ISPs and other providers can’t simply block the IP addresses known to be associated with the C&C server to cut off commands. For stealthiness, Hajime makes the extra effort to cover its tracks by concealing its running processes and files.


In a move contrary to that stealthiness, a cryptographically signed message displays on the terminal of Hajime-infected devices every 10 minutes:

“Just a white hat, securing some systems.

Important messages will be signed like this!

Hajime Author.

Contact CLOSED Stay sharp!”

Even though the author declares him/herself to be a “white hat,” an ethical hacker, can we be sure that Hajime will not be used for malicious purposes at a later date? We cannot.

Botnets are often used to for financial gain. A botnet’s owner may sell or rent control of this large network of infected devices to the highest bidder to do whatever tasks the buyer requires: causing DDoS attacks, sending out spam, or creating other disruption online.

Hajime is many things, but it is not very persistent. Because the changes made by Hajime are only made in RAM and not to the firmware, once an infected device is restarted, the changes are lost.


IoT devices should be secured to protect them from being accessed without permission.

At a minimum: 1) Change default usernames and passwords, 2) Disable or secure unused services, ports, and remote access, 3) Update firmware regularly.

The idea of a white hat vigilante hacker working altruistically for the good of all is comforting, but it may cause a false sense of security. We cannot be sure that a botnet that appears benign today will not be used maliciously tomorrow.     


Symantec, Hajime worm battles Mirai for control of the Internet of Things. Ars Technica, Vigilante botnet infects IoT devices before blackhats can hijack them. Graham Cluley, The Hajime IoT worm fights the Mirai botnet for control of your devices. The Hacker News, To Protect Your Devices, A Hacker Wants To Hack Them Before Someone Else Does. Dyn, Dyn Analysis Summary Of Friday October 21 Attack.