New IoT botnet infects over 20,000 devices using P2P communication
A new emerging botnet has been spotted by security researchers that uses custom-built
peer-to-peer communication to exploit victims, ensnare new IoT devices and continue
building its infrastructure. Dubbed Hide N’ Seek or HNS, the bot was rst spotted by
researchers at Bitdefender Labs on 10 January before it disappeared for a few days.
However, it returned 10 days later on 20 January in a new and significantly improved
form, researchers said.
“The HNS botnet communicates in a complex and decentralized manner and uses multiple
anti-tampering techniques to prevent a third party from hijacking/poisoning it,”
Bitdefender researchers wrote in a blog post published on Wednesday (24 January). “The
bot can perform web exploitation against a series of devices via the same exploit as
Reaper (CVE -2016-10401 and other vulnerabilities against networking equipment).”
HNS can also carry out multiple commands including data extration, code execution and
interference with a device’s operation. Featuring a worm -like mechanism that can
randomly generate a list of IP addresses to get potential targets, the bot initiates a raw
socket SYN connection to every device listed and tries to establish a connection.
Once successful, the bot looks for the “buildroot login” banner presented by the device and
tries to login using a set of predened credentials. If it can’t, it attempts to brute force its
way through using a dictionary attack that uses a hardcoded list to crack the device’s
passcode. After it establishes a new session with the infected device, the bot attempts to
identify the target device and gure out how best to compromise it.
“For example, if the victim has the same LAN as t he bot, the bot sets up TFTP server to
allow the victim to download the sample from the bot,” researchers explain. “If the victim
is located on the internet, the bot will attempt a specific remote payload delivery method
to get the victim to download and r un the malware sample. These exploitation techniques
are precongured and are located in a memory location that is digitally signed to prevent
tampering. This list can be updated remotely and propagated among infected hosts.”
Once a device is infected, hackers behind the botnet can use commands to control it.
Since it re -emerged on 20 January, the botnet has swelled from an initial 12 compromised
devices to more than 20,000 at the time of writing. However, they noted that like most
IoT botnets, this one cannot establish persistence on infected devices. With a simple
device reboot, the malware can be automatically removed from the compromised device.
Researchers observed that the devices targeted involved IP cameras manufactured by an
unspecified Korean comp any. They also noted that HNS isn’t the rst IoT botnet to use
peer-to-peer communication to spread to other targets. “It i s the second known IoT botnet
to date, after the notorious Hajime botnet, that has a decentralized, peer -to-peer
architecture,” Bitdefender wrote. However, if in the case of Hajime, the p2p functionality
was based on the BitTorrent protocol, here we have a custom-built p2p communication
Interestingly, researchers noted that their analysis of the Hide ‘N’ Seek bot revealed it can
be leveraged for far more nefarious activities than launching DDoS attacks. “While IoT
botnets have been around for yea rs, mainly used for DDoS attacks, the discoveries made
during the investigation of the Hide and Seek bot reveal greater levels of complexity and
novel capabilities such as information theft – potentially suitable for espionage or
extortion,” they wrote. “It is also worth noting that the botnet is undergoing constant
redesign and rapid expansion.”