So far my testing show that only mipsbe devices are getting exploited. Anyone notice other architectures affected?
I haven't, though fully-fleshed example exploits of this vulnerability were released for both mipsbe and x86 earlier this month, and Hajime supports mipsbe, x86, and arm, so it is at least *likely* that an x86 version exists but that there simply aren't enough x86 ROS boxes out there for it to spread at the same rate. If the author simply lifted the exploits from the examples that were released, then that means it's unlikely that arm, powerpc, or tile are being infected, both because it would require some additional/original work on the author's part for arm support and also because AFAIK Hajime doesn't even have binaries for powerpc or tile at this time.
Also all of the devices actually required reboot to get the exploit part going, from what i read here i had idea that everything will happen straight away...
I'm not sure if it executes straight away or only does so after a reboot. As I implied in a prior post, I have been able, as a test, to copy the Hajime loader onto a clean device and run it manually, and it will start up and run; however it will not install the rc.d (startup) script itself, so whatever host is pushing the Hajime loader onto the device is also pushing the rc.d script onto it. If you only put the actual Hajime binary onto a device and run it, it will not automatically start up after reboot.
It's possible that the host pushing the infection is 1) copying Hajime binary to device, 2) copying Hajime rc.d script to device, and then 3) issuing reboot command to device, starting it that way. There is no reason why it would have to issue reboot, though, instead of just start up the Hajime process straight away.
-- Nathan