The Hide and Seek botnet goes after some of the billions of devices that compose the IoT attack surface. Learn how to defend IoT devices against botnets.
A relatively new Internet of Things (IoT) botnet took its time going viral. It even disappeared for 10 days. But once it got back in gear, it spread worldwide in a matter of days.
Hence the name “Hide and Seek,” or HNS, which researchers at Bitdefender Labs gave it after they first spotted it on Jan. 10, then watched it “fade away in the following days, only to re-emerge on Jan. 20 in a significantly improved form.”
Bogdan Botezatu, senior threat analyst, wrote on the Bitdefender blog that the Hide and Seek botnet started as a 12-device network involving IP cameras in a corner of South Korea. When it re-emerged, it spread around the world to take control of 32,312 devices by Jan. 26.
He wrote that the bot “was intercepted by our IoT honeypot system following a credentials dictionary attack on the Telnet service.”
As of this writing, Bitdefender had not published an update on whether Hide and Seek had spread further. The organization did not respond to a request for comment. But a Jan. 26 update said the botnet “seems to undergo massive development as new samples compiled for a variety of architectures have been added as payloads.”
If there is any good news it is that Hide and Seek, like other IoT botnets, “cannot achieve persistence.” That means a user can get rid of the malware simply by rebooting the device.
But even that isn’t long-term good news. Chris Clark, principal security engineer, strategic initiatives, at Synopsys, said rebooting “is only part of the answer. If the machine was infected before it will be again. If you do not mitigate, a reboot is just a delaying action.”
And the findings suggest that Hide and Seek is both more interesting and potentially more malevolent than botnets that have been around for years and are generally used for DDoS attacks.
Those can be damaging enough. Witness the attack on Internet backbone service provider Dyn in October 2016 by the Mirai botnet that brought down the websites of 80 major Internet companies including Amazon, PayPal, and Twitter.
But HNS and other more recent botnets like Mirai, Reaper, and Hajime are designed for more than DDoS attacks. Botezatu wrote that Hide and Seek has “greater levels of complexity and novel capabilities such as information theft—potentially suitable for espionage or extortion.” He added that “it is also worth noting that the botnet is undergoing constant redesign and rapid expansion.”
HNS is only the second (Hajime was the first) to have a decentralized, peer-to-peer (P2P) architecture. But Botezatu said HNS is the first of its kind in another way. The functionality of Hajime is based on the BitTorrent protocol. However, in the case of Hide and Seek, “here we have a custom-built P2P communication mechanism.”
The Hide and Seek botnet has a “worm-like spreading mechanism.” First it generates a random list of IP addresses. Then it initiates a raw socket SYN connection to each host on specific destination ports (23, 2323, 80, and 8080).
“Once the connection has been established, the bot looks for a specific banner (‘buildroot login:’) presented by the victim,” Botezatu wrote. “If it gets this login banner, it attempts to log in with a set of predefined credentials. If that fails, the botnet attempts a dictionary attack using a hardcoded list.”
It then uses different techniques to infect a device, depending on whether it is on the same LAN as the bot or is on the internet.
And it comes with its own, self-protective security features. “These exploitation techniques are preconfigured and are located in a memory location that is digitally signed to prevent tampering. This list can be updated remotely and propagated among infected hosts,” Botezatu wrote.
As botnets go, Hide and Seek would be relatively small if it stayed in the 30,000 to 40,000 range of infected devices. The first DDoS attack of more than 1Tbps, against hosting provider OVH, was reported in October 2016 and used an estimated 146,000 cameras and DVRs.
But Clark said the aim of botnets, as well as other attack methods, is increasingly to capture PII (personally identifiable information) and banking information. “It is a digital world, and in this world data is money,” he said.
Further, botnets like this can adapt and redesign themselves. This ability should be a stark warning to developers of IoT devices and systems that they need to up their game. As Elizabeth Montalbano, writing in the Security Ledger, put it, “The next-level security demands of the new interconnected-device paradigm are nowhere close to being met.”
Those using the billions of devices that compose the massive IoT attack surface can fight back. “Monitor, monitor, monitor,” Clark said. He noted that this includes things like keeping detection systems up to date, using outside sources to monitor exfiltration points for odd activity, and patching operating systems and software.
“The key is to be aware of the challenges you are facing and keep from burying your head in the sand thinking that no one will go after you. You may not know it, but one of your devices may be part of a botnet right now,” he said.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.