Bitdefender researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise, with plenty of improvements on the propagation side.
The botnet has a history of infection close to many unique devices from the device it was detected.
The Hide’n’Seek IoT botnet has received an update to make its infection persist on infected devices beyond a restart, Bitdefender reports.
The new version of the botnet is the world’s first one to communicate through custom-built peer to peer protocol and the first bot with the ability to survive a reboot.
It also includes additional binaries to leverage new vulnerabilities to compromise more IPTV camera models, in addition to that, it also detects two new devices and their default credentials.
Bitdefender researchers discovered the new version of Hide and Seek botnet targets generic devices and scans for the telnet service. If the service is found, then it attempts a brute force.
Though persistence is fairly common for traditional botnets that target PCs, a device that is part of a botnet targeting the Internet of Things (IoT) can often be ‘cleaned’ simply by rebooting it. Bitdefender believes Hide’n’Seek to be the first IoT botnet to be able to survive reboots, just as it was the first to use a custom peer-to-peer protocol.
If the login Succeeds it locks down the access of port 23 to prevent the device being it hijacked by competing botnet.
It attacks a wide range of devices and architectures, researchers said “the bot has 10
different binaries compiled for various platforms including x86, x64, ARM (Little Endian and Big Endian), SuperH, PPC and so on”.
Hide and Seek malware starts with OS
In order to achieve its persistence, the malware copies itself into /etc/init.d/ and adds itself to start with the operating system. Also, it opens a random UDP port which allows attackers to establish communication with the device. a folder that houses daemon scripts on a Linux-based operating system like the ones on routers and IoT devices.
By placing itself on this menu, the device’s OS will automatically start the malware’s process after the next reboot.
The botnet also uses multiple anti-tampering techniques to prevent a third party from hijacking or poisoning and can perform web exploitations against a series of devices
According to researchers the botnet still has no support for the DDoS attack, according to their analysis “the botnet is in the growth phase and attackers trying to seize as many devices as possible”. Attackers can expand the function of the botnet at any time.
A brand of IP camera manufactured in South Korea appears to be the initial infection source for Hide ‘N Seek, but the botnet is actively attacking other IoT devices. Using randomly generated IP addresses, Hide ‘N Seek attempts to connect to any devices listed against these addresses.
As with any new technology, IoT promises to be the future of the Internet, bringing better connectivity and ease of use of the devices we use, but these botnet attacks show, an equal amount of stress must be placed on security.