IEEE Access (Jan 2024)

A Baseline Investigation Into the Evolution and Prevalence of Mirai and Hajime Utilizing a Network Telescope

  • Son Pham Anh,
  • Yasuhiro Nakamura

DOI
https://doi.org/10.1109/ACCESS.2024.3434555
Journal volume & issue
Vol. 12
pp. 103789 – 103809

Abstract

Read online

In recent years, with the advancement of information technology and digital transformation, the number of IoT devices has been rapidly increasing. Despite efforts to raise awareness and encourage users to enhance security for these IoT devices, a large number of them remain connected to the Internet with poor security, using simple passwords or default credentials. These insecure IoT devices unintentionally become useful tools for malicious actors. By utilizing Worm-type Malware, a type of malware capable of rapid infection, attackers can infiltrate and control numerous devices in a very short period. Once compromised, these IoT devices are used in network attacks such as DDoS or malware propagation. Representing modern Worm-type Malware, two Malware have continuously attracted attention since their appearance: Mirai and Hajime. Specifically, Mirai is a highly infectious malware that has caused numerous DDoS attacks, resulting in significant financial and reputational damage to several corporations and businesses. Similarly, Hajime is also a powerful malware with a propagation principle similar to Mirai. Similar to past investigations into malware such as Code-red, SQL Slammer and Conficker, previous studies focused on these two malware were based on statistical analysis of the number of infected IP addresses within fixed time frames or geographical locations. However, relying on this simple statistical method, previous studies didn’t assess the persistence, intermittency, or variations in the infection process of each IoT device. This led to incomplete reflections of the infection process and accurate changes in the numbers of Mirai and Hajime. Intending to collect comprehensive information and make accurate assessments reflecting the infection status, variations, and characteristics of Mirai and Hajime during the infection process, this study applies a new investigation method and evaluation index using data collected from the Network Telescope in the Darknet space. The investigative results of this study have revealed the changes and assessed the infection scale of Mirai and Hajime since their appearance. Additionally, our research has identified the update time of Hajime, estimated the current number of infected devices, and quantitatively evaluated the impact of Hajime on the infection activities of Mirai.

Keywords