An emerging botnet comprised of compromised IoT devices dubbed “Hide ‘N Seek” or HNS is using custom built Peer-to-Peer communication to exploit victims and build its infrastructure. The botnet may also represent an overall change in how threat actors are looking to use botnets.
Bitdefender researchers first spotted the botnet on 10 January before it disappeared for a few days only to return 10 days later in a significantly improved form. Before long, the botnet had spread from Asia to the United States with over 18,000 bots and counting, according to a Bitdefender blog post.
The botnet also uses multiple anti-tampering techniques to prevent a third party from hijacking or poisoning and can perform web exploitations against a series of devices via the same exploit as CVE-2016-10401 and other vulnerabilities against networking equipment.
HNS also embeds a plurality of commands such as data exfiltration, code execution and interference with a device's operation. The botnet also features a worm-like spreading mechanism that randomly generates a list of IP addresses to get potential targets.
Hide ‘N Seek is the second known botnet to date, after Hajime, that has a decentralised, peer-to-peer architecture. Bitdefender Senior E-threat Analyst Bogdan Botezatu said the virulence of the Hide ‘N Seek botnet shows how easy it is for cyber-criminals to take over IoT devices.
“It also shows that cyber-criminals are looking into (or experimenting with) decentralised botnet architectures to prevent possible takedowns,” Botezatu said. “Last but not least, it also shows that botmasters are looking at changing the consecrated business model of IoT botnets, moving them away from DDoS and into cyber-espionage.”
Botezatu added that it is interesting that while most IoT botnet have a DDoS component, HNS overcompensates for the lack of the feature with file theft. In addition to the botnets exploits, HNS employs a large dictionary attack which Botezatu described as possibly the largest dictionary attack he has seen in the IoT space to date.
Ashley Stephenson, chief executive officer of Corero Network Security, told SC Media the botnet seems to be targeting devices running a particular distribution of Linux called “buildroot” since it's looking for a login prompt that includes that string ("buildroot login”). She added that the botnet seems to spread from one botnet to another.
“It's interesting that it will try TFTP or WEB downloads (the bot acting as the server to load the virus into the victim) based on whether the bot is on the same LAN as the victim,” Stephenson said. “This suggests that the author knows that TFTP is likely to be available on this Linux distribution.”
Furthermore the botnet digitally signs all its communications so that it can't be neutralised that way. Stephenson said the botnets features are worth noting as they are thought out and practical. She said the criminals behind the botnet borrowed from academics of distributed search theory and applied the methods to the dark side, some which could also come straight from Peer to Peer networking.
“One of the interesting components is collaborative/community nature of some of the commands, eg asking your neighbouring bots (six degrees of Kevin Bacon – five hops away) to help search for something and also have them recruit/ask other bots to join the search,” Stephenson said.
The evolution of the botnet demonstrates how much threat actors are willing to invest in time and effort to develop more sophisticated and self-preserving botnets and both Stephenson and Botezatu expect to see more efforts like this with future botnets in the foreseeable future.