A botnet (Hajime) discovered at the end of last year has grown enormously in recent weeks, but security researchers can not understand why, as they can not understand what it is doing.
The malicious software (malware), dubbed Hajime, was found last October, around the same time the infamous and now infamous Mirai botnet was being used in attacks against the US internet.
The Hajime botnet has so far infected 300.000 internet-connected devices (digital video cameras, cameras and routers) and appears to carefully target specific networks, avoiding devices belonging to US government agencies. Like Mirai, the malware attacks devices that have weak or default settings codeaccess and usernames (often “admin” or “root”).
What makes Hajime malware quite different is that it closes some ports on the firewall and opens several others to create a peer-to-peer command and control structure.
But to date, no one is sure what the botnet is or who is behind it.
"The most interesting thing about Hajime is its purpose," its security investigators said Kaspersky in a post on their blog, adding that its purpose is "unknown."
"We haven't seen it used in any kind of attack or malicious activity," the researchers said.
All signs point to a white hat hacker, who has taken it upon himself to “secure some systems,” according to a note he leaves on each system the botnet infects.
But any botnet - even those born with good intentions - can be used for malicious purposes, either by the botnet owner or by someone else who manages to gain access.
A map showing the geographical sources of the Hajime infection. (Picture: Radware)
Radware researchers said Wednesday that the “flexible and extensible nature” of the botnet could be used for malicious purposes, such as performing DDoS attacks, spreading malware, or mass monitoring real-time streaming from web cameras.
Researchers also report that a vulnerability that was recently patched in Hajime could allow a hacker to take control of the botnet.
"Such a large botnet with such flexibility will attract the attention of competing hackers, so I think they are very likely to try to take control and take over the botnet commands."
"The vulnerability has been shut down by the developer, but it proves that malware can contain vulnerabilities," the researchers said.