CCTV systems, routers, digital video recorders and other internet-of-things (IoT) devices are now believed to be harbouring the Hajime worm.
The fast-moving worm is currently outpacing malicious equivalents seeking the same vulnerable gear . Security researchers say they do not know who created Hajime or how it might ultimately be used.
Hajime was first discovered in October 2016 and, said security researchers, had been hunting down IoT devices with security vulnerabilities that could be exploited by a different worm, called Mirai.
Chris Doman, security researcher at AlienVault, said: “I can see why a frustrated security expert might take the opportunity to take things into their own hands. Laws have been very slow to respond to the threat posed by insecure IoT devices. But it's very risky. What if Hajime infected a piece of critical infrastructure and bricked it?
"Similar things have happened before. Back in 2001 the "good" Code Green worm went around patching systems vulnerable to the Code Red worm.
"This appears to be ongoing, with new command and control servers identified as recently as today.”
Itsik Mantin, director of Security Research at Imperva, adds: “This is another example for the Internet of Things being a Botnet of Things, with another malware that distributes like wildfire in the Internet, even if the number of infected devices is less than the claimed 100,000.
"What most disturbs me here is the fact that this trend is likely to stay with us for at least a couple of years. Existing botnets remain active until the devices are patched or retired, which in IoT devices can take years. Moreover, new connected devices are still being released to the field without adequate protection, providing easy prey for the next IoT worm.
"The power of this number of bot soldiers can be used in many various ways. Are we expected to see from this botnet intensive DDoS attacks on victim web servers like Mirai, distributed brute force attempts on login pages, or scanning web sites for SQL injection vulnerabilities? With botnets becoming a commodity, and the botnet-for-hire market flourishing, my guess is that we will see some of all of the above.”
Mark James, IT Security specialist at ESET, noted: “IoT is and will be for a while a top level target for malware. Because of the nature of “plug and play” we like our devices to do exactly that, plug them in, click as few buttons as possible and then wait for it to work.
"Once that’s done depending on the device it will be placed wherever it’s going to stay and possibly won’t be touched again until it breaks or needs a new home. If you then factor in mass produced low cost versions then you have an awful lot of devices with default usernames and passwords that will never be changed, giving free reign for malware to find a nice dark hiding place and may never be detected.
"To keep your IoT devices secure you must ensure your using unique passwords and where possible only connect them to a secure Wi-Fi network (better still only wired), disable any services or ports you’re not using and ensure the device is always kept up to date. You should also consider updating your device if it’s not being maintained regularly by its manufacturer."