Hide and seek, or the first botnet, which is not afraid of reboot

In late April, security researchers from Bitdefender LABS discovered a new version of the botnet, Hide and Seek (HNS), which became known in early 2018. It uses a custom P2P protocol and is the first botnet that “survives” even after rebooting the device on which it was attached.

Let us tell you how HNS does it and how to protect the Internet of Things device from it.


/ Flickr / Chris Yiu / CC

The botnet is “ playing hide and seek” with information security specialists since January 10: at that time, the Hide and Seek network consisted of only 12 devices. Most of them were IP cameras produced by the Korean company Focus H & S, and their IP addresses were explicitly stated in the code.

After the botnet "hid" and found himself only on January 20, but in its composition were already 14 thousand infected devices. After that, the botnet continued its active distribution and managed to infect about 90 thousand unique devices. And so, in April, its new version appeared.

How does the botnet work

The new version of the botnet contains a number of improvements in the mechanisms of distribution. For example, he learned how to exploit two more vulnerabilities of IP cameras (more here and here ), which allowed to increase access rights in the system and gain control over the device. In addition, HNS can define two new types of devices and access them by enumerating logins and passwords (using the default password list).

The HNS propagation mechanism is reminiscent of how network worms “multiply”. First, the bot generates a list of random IP addresses to select victims for itself. Then it sends a SYN request to each host and continues “communicating” with those that responded to the request on ports 23 2323, 80 and 8080. Once the connection is established, the malware searches for the message “buildroot login” and tries to authenticate with the help of predefined credentials. In case of failure, HNS applies a dictionary over a hardcoded list.

Once connected, the botnet identifies the target device and selects the appropriate compromise method. For example, if a bot is located on a single LAN with a victim, it sets up a TFTP server, allowing the target to download a sample of the malware directly. If the victim is “located” on the Internet, the botnet tries various methods of remote delivery of the “malicious package”. All exploits are preconfigured and stored in a digitally signed memory cell to prevent unauthorized access. The list of methods can be updated remotely and distributed to infected hosts.

IB researchers found that the botnet in the arsenal has ten binaries compiled for different platforms: x86, x64, ARM (Little Endian and Big Endian), SuperH, PPC, and others.

And in order to securely gain a foothold in the system, after a successful infection of the target device, the bot copies itself to /etc/init.d/ and activates the autoload function along with the OS launch (interaction with the victim occurs via Telnet, since root is required to copy binaries to the init.d -the rights). HNS then opens a random UDP port that cybercriminals will need to communicate with the device.


/ Flickr / pascal / PD

Other large botnets

One of the most famous IoT bots can be called Mirai . Like the HNS, this botnet was looking for IoT devices with open Telnet ports. The authors of Mirai, fans of Minecraft and anime (Mirai in Japanese means “future”, in honor of the diary of the future manga ), in 2016 conducted several powerful DDoS attacks on websites, servers of providers (in September and October ) and infected about 300 thousand IoT-devices (here you can find a detailed analysis of the source code Mirai).

Another well-known case is Hajime (translated from Japanese means “beginning”). This botnet captured 300 thousand IoT devices using brute force attacks. Hajime attacks were mostly aimed at digital video recorders, webcams and routers. According to a study by Kaspersky Lab, the botnet mostly infected devices from Vietnam (20%), Taiwan (13%) and Brazil (9%). At the same time, Hajime “deliberately” avoided private networks (including the networks of the US Department of Defense, Hewlett-Packard, General Electric, and others).

How to protect

According to Bitdefender, the HNS botnet is still at the “growth stage”. His operators are trying to capture as many devices as possible. Therefore, attacks with his participation have not yet been carried out. But there is a possibility that soon hackers will add “combat teams” to binary files.

To protect Internet of Things devices from HNS attacks and botnets in general, Trend Micro security specialists recommend following these simple and rather trivial steps:

• Change the default IoT device password to a more complex one (everything is as usual: at least 15 characters, different case of letters, plus numbers and signs);
• Install updates regularly, especially those related to security;
• Use software solutions for network protection, traffic encryption, etc.

These simple methods will protect against many malicious programs that “recruit” the Internet of Things device into their ranks.

---

Selection of materials from our corporate blog:

• 5 stages of cyber attacks
• How to classify encrypted traffic
• How to safely share passwords on your network
• Firewall or DPI - protection tools for different purposes
• Shot in the leg: critical errors in the construction of networks of telecom operators