The Hajime worm has been active for several months at least, but it’s only recently that it has begun attracting much attention. The malware shares quite a few characteristics with the famous Mirai malware, including the use of open Telnet connections to spread. Hajime also takes advantage of the default usernames and passwords that are used on many insecure IoT devices to gain access to them. But, unlike Mirai, Hajime seems to have some non-malicious behaviors, as well.

After it has gained access to a new device, the malware performs a number of actions, including trying to hide itself and its files. But the most interesting behavior Hajime exhibits is locking down a number of ports that Mirai uses to infect devices. In effect, the Hajime author is trying to block Mirai from spreading to new devices. On a newly infected device, Hajime will show a message every few minutes that says, in part, “Just a white hat, securing some systems.”

“The above message is cryptographically signed and the worm will only accept messages signed by a hardcoded key, so there is little question that this message is from the worm’s true author. However, there is a question around trusting that the author is a true white hat and is only trying to secure these systems, as they are still installing their own backdoor on the system. The modular design of Hajime also means if the author’s intentions change they could potentially turn the infected devices into a massive botnet,” Waylon Grange of Symantec wrote in an analysis of the Hajime malware.

Right now, Hajime doesn’t include a module to perform DDoS attacks, something that has been a hallmark of the Mirai botnet. But, as Grange noted, that could change at any time. And the positive effects that Hajime has on infected devices — closing the ports that Mirai uses for infection — are temporary. As soon as an infected device is rebooted, those ports will be open again and the device will be an easy target. Unless and until the firmware on the device is patched, this cycle could repeat over and over. And most users aren’t in the habit of patching their DVRs or refrigerators, assuming an updated firmware image was even available.

“One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next any of the many other IoT malware/worms that are out there scanning for devices with hardcoded passwords. This cycle will continue with each reboot until the device is updated with a newer, more secure firmware,” Grange said.

The creator of Hajime seems to be well aware of the attention the malware is getting in the security research community. Researchers from Rapidity Networks published a detailed analysis of the malware in October, breaking down the behavior and features of the worm. The paper also points out several problems with the malware’s code.

“It appears that the worm’s author took note. Now, each of the noted bugs has been fixed and none of the signatures still work. It appears that the report, in a way, served as free quality assurance for the worm’s author; showing them what bugs they still needed to fix,” Grange said.

Given the explosive growth of IoT devices and the lack of security in most of them, it stands to reason that Mirai and Hajime are likely just the vanguard of what could be a legion of similar worms and malware strains coming in the near future.