The Hide and Seek botnet has a “worm-like spreading mechanism.” First it generates a random list of IP addresses. Then it initiates a raw socket SYN connection to each host on specific destination ports (23, 2323, 80, and 8080).
“Once the connection has been established, the bot looks for a specific banner (‘buildroot login:’) presented by the victim,” Botezatu wrote. “If it gets this login banner, it attempts to log in with a set of predefined credentials. If that fails, the botnet attempts a dictionary attack using a hardcoded list.”
It then uses different techniques to infect a device, depending on whether it is on the same LAN as the bot or is on the internet.
And it comes with its own, self-protective security features. “These exploitation techniques are preconfigured and are located in a memory location that is digitally signed to prevent tampering. This list can be updated remotely and propagated among infected hosts,” Botezatu wrote.
As botnets go, Hide and Seek would be relatively small if it stayed in the 30,000 to 40,000 range of infected devices. The first DDoS attack of more than 1Tbps, against hosting provider OVH, was reported in October 2016 and used an estimated 146,000 cameras and DVRs.
But Clark said the aim of botnets, as well as other attack methods, is increasingly to capture PII (personally identifiable information) and banking information. “It is a digital world, and in this world data is money,” he said.
Further, botnets like this can adapt and redesign themselves. This ability should be a stark warning to developers of IoT devices and systems that they need to up their game. As Elizabeth Montalbano, writing in the Security Ledger, put it, “The next-level security demands of the new interconnected-device paradigm are nowhere close to being met.”