A new ‘vigilante’ IoT worm that blocks rival botnets, titled Hajime (Japanese for ‘beginning’ has steadily amassed a huge P2P botnet of 300,000 compromised devices, according to Kaspersky researchers.

First revealed in a public report by RapidityNetworks in October 2016, Internet of Things (IoT) worm Hajime was soon spotted with initial samples uploaded from Spain. Researchers deem it as a ‘continuously evolving’ worm. Curiously, the Hajime IoT worm actively fights the dreaded Mirai botnet to wrestle control of low-security and easily hackable IoT devices, pointing to a vigilante operation. However, the botnet could inversely be abused by attackers as a cyber-weapon, stroking concerns among security researchers.

“The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, partly due to new exploration modules, its purpose remains unknown,” Kaspersky researchers wrote.

Hajime currency works as a propagation module, without any hint of code pointing at attack capabilities.

A piece of text displayed during intervals of downloading a new configuration file reads:

Just a white hat, securing some systems. Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!

“Whether the author’s message is true or not remains to be seen,” wrote Kaspersky researchers. “Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force and to update the firmware if possible.

The worm’s most frequent target is DVRs or digital video recorders. Webcams and routers. Research shows Vietnam accounting for 20% of Hajime-compromised IoT devices, followed by the likes of Taiwan, Brazil, Turkey and Korea.

Perhaps notably, the worm is hardcoded to avoid several networks including regions such as Tehran in Iran, South Africa and private networks belonging to General Electric, Hewlett Packard (HP) and the United States Postal Service, among others.

Image credit: Pixabay.