Hide and Seek: New Botnet Threat
Internet of Things refers to devices connected to Internet; it can be your fridge, car, smartwatch or any other object. As is visible around us, it is growing at a rapid rate and is expected to outnumber world’s population in no time, making it more prone to attacks. Vigilant hackers always look for weaknesses in a device to hack them. Unfortunately, more the user base; more are they prone to attacks.
In recent times they have already trapped many IoT devices. Recently, a new botnet dubbed Hide N seek (HNS) has been found to exploit Internet of Things devices. It is the first of its kind that uses custom-built peer to peer communication to infect multiple machines. Previously, the peer to peer functionality used by Hajime was based on BitTorrent protocol.
Also Read: Top 10 Malware Myths and Facts
How it Works?
The botnet communicates between devices via a decentralized peer to peer mechanism and uses multiple anti tampering techniques to prevent third party from poisoning it. The bot can perform web exploitation against number of devices using the same exploit as Reaper and can carry out multiple commands like data exfiltration, code execution and interference with device operation.
The bot works on a worm like mechanism that randomly generates list of IP addresses to get probable targets. The bot then initiates a raw socket connection to every device listed and tries to establish connection between the devices that reply to the request on a specific destination port (23,2323,80,8080).
After the connection is established, bot searches for a banner (“buildroot login”) to log in using a set of predefined credentials. If this fails, the botnet then attempts a dictionary attack via a hardcoded list.
Once all goes well and the victim is online the bot uses a specific remote payload method to download and run the malware sample. This way the bot infects another machine on the same network.
However, there’s good news, unlike other bots getting rid of this bot is much easier. As it is unable to achieve persistence, a reboot of the device gets the device back to as it was, before being compromised.
This isn’t good news for IoT users as this clearly shows hackers would go to any extent to capture user’s data. Also, the increasing number of IoT devices comes as good news for them as they can create more and more bots and perform DDoS attacks. It may be found that getting rid of is easy but it is a very complex threat that has new capabilities. Some of you who know about Hajime may confuse Hide N seek with it but that is not correct. Both are different in the manner they perform the attack.
Therefore, to stay safe it is advisable to take care of your IoT devices and not to switch them on when not in use. Plus, don’t connect them with accounts that you would rarely use with IoT devices. This bot has grown tremendously within few days from 12 devices to 24,000 devices in just a weeks’ time.