In an IoT-filled World, it's Time to Be Alert in the Wake of 'Hide 'n Seek'

Earlier this year, an Internet of Things (IoT) botnet took its time going viral - it even disappeared for 10 days - but once it got back in gear, it spread worldwide in a matter of days.

Hence the name - HNS or "Hide and Seek" - that researchers at Bitdefender Labs gave it after they first spotted it on Jan. 10, then watched it, "fade away in the following days, only to re-emerge on Jan. 20 in a significantly improved form."

Bogdan Botezatu, a Senior Threat Analyst, wrote on the Bitdefender blog that it started as a 12-device network involving IP cameras in a corner of South Korea, and when it re-emerged it spread around the world to take control of 32,312 devices by Jan. 26.

He wrote that the bot, "was intercepted by our IoT honeypot system following a credentials dictionary attack on the Telnet service."

As of this writing, Bitdefender had not published an update on whether HNS had spread further, and did not respond to a request for comment. But a Jan. 26 update said it, "seems to undergo massive development as new samples compiled for a variety of architectures have been added as payloads."

If there is any good news it is that, like other IoT botnets, it "cannot achieve persistence," which means a user can get rid of the malware simply by rebooting the device.

But even that isn't long-term good news. Chris Clark, Principal Security Engineer of Strategic Initiatives at Synopsys, said rebooting, "is only part of the answer. If the machine was infected before it will be again. If you do not mitigate, a reboot is just a delaying action."

And most of the other findings are that it is both more interesting and potentially more malevolent than those that have been around for years and are generally used for DDoS attacks.

Those can be damaging enough - witness the attack on Internet backbone service provider Dyn in October 2016 by the Mirai botnet that brought down the websites of 80 major Internet companies including Amazon, PayPal, and Twitter.

But HNS and other, more recent, botnets like Mirai, Reaper, and Hajime are designed for more than DDoS attacks. Botezatu wrote that HNS has, "greater levels of complexity and novel capabilities such as information theft - potentially suitable for espionage or extortion," adding that, "it is also worth noting that the botnet is undergoing a constant redesign and rapid expansion."

HNS is only the second (Hajime was the first), to have a decentralized, peer-to-peer (P2P) architecture. But Botezatu said HNS is the first of its kind in another way. The functionality of Hajime is based on the BitTorrent protocol, while in the case of HNS, "here we have a custom-built P2P communication mechanism."

How Does the Hide and Seek Botnet Infect Devices?

It has a "worm-like spreading mechanism," that generates a random list of IP addresses and then initiates a raw socket SYN connection to each host on specific destination ports (23, 2323, 80, and 8080).

"Once the connection has been established, the bot looks for a specific banner ('buildroot login:') presented by the victim," Botezatu wrote. "If it gets this login banner, it attempts to log in with a set of predefined credentials. If that fails, the botnet attempts a dictionary attack using a hardcoded list."

It then uses different techniques to infect a device, depending on whether it is on the same LAN as the bot or is on the Internet.

And it comes with its own, self-protective security features: "These exploitation techniques are preconfigured and are located in a memory location that is digitally signed to prevent tampering. This list can be updated remotely and propagated among infected hosts," Botezatu wrote.

As botnets go, HNS would be relatively small if it stayed in the 30,000 to 40,000 range of devices infected. The first DDoS attack of more than 1Tbps, against hosting provider OVH, was reported in October 2016 and had used an estimated 146,000 cameras and DVRs.

But Clark said the trend in botnets, as well as other attack methods, is increasingly aimed at capturing PII (personally identifiable information) and banking information. "It is a digital world, and in this world, data is money," he said.

And the ability of botnets like this to adapt and redesign themselves should be yet another stark warning to developers of IoT devices and systems that they need to up their game. As Elizabeth Montalbano, writing in the Security Ledger, put it,

"the next-level security demands of the new interconnected-device paradigm are nowhere close to being met."

Still, for those already using the billions of devices that comprise the massive IoT attack surface, there are ways to fight back: "Monitor, monitor, monitor," he said, noting that this includes things like keeping detection systems up-to-date, using outside sources to monitor exfiltration points for odd activity, and patching OSs and software.

"The key is to be aware of the challenges you are facing and keep from burying your head in the sand thinking that no one will go after me. You may not know it, but one of your devices may be part of a botnet right now," he said.