Bitdefender Decodes A Botnet Called Hide ‘N’ Seek

by CXOtoday News Desk    Feb 13, 2018


Romanian cybersecurity and anti-virus software company, Bitdefender, is reported to have recently spotted a new bot which uses peer-to-peer communication to infect devices.  The bot had disappeared for a few days before returning again and hence, has been named as Hide ‘N’ Seek.

The researchers at Bitdefender Lab mentioned in one of their blogs that, “The HNS botnet communicates in a complex and decentralized manner and uses multiple anti-tampering techniques to prevent a third party from hijacking/poisoning it. The bot can perform web exploitation against a series of devices via the same exploit as Reaper (CVE-2016-10401 and other vulnerabilities against networking equipment).”

The newly emerged bot can execute multiple commands like data exfiltration, code execution and interference with a device’s operation. The bot is capable of generating a list of IP addresses which can help in tapping on the potential targets while establishing a raw socket SYN connection to the listed devices. Once the connection is established, the bot tries to spot the target device and figure out how best to compromise it.

Researchers explained, “For example, if the victim has the same LAN as the bot, the bot sets up TFTP server to allow the victim to download the sample from the bot. If the victim is located on the internet, the bot will attempt a specific remote payload delivery method to get the victim to download and run the malware sample. These exploitation techniques are preconfigured and are located in a memory location that is digitally signed to prevent tampering. This list can be updated remotely and propagated among infected hosts.”

Bitdefender researchers have informed that the number of devices handled by the HNS has increased from 12 to 32,312 IoT devices over a month while undergoing a number of developments.

“The new IoT botnet uses peer-to-peer communication to spread to other targets, however, it is not first such botnet,” said the researchers.

The researchers further revealed that the bot can be leveraged for far more nefarious activities than launching DDoS attacks. “While IoT botnets have been around for years, mainly used for DDoS attacks, the discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft – potentially suitable for espionage or extortion,” wrote researchers at Bitdefender Lab.