Bitdefender discovers the first ‘Hide ’N Seek’ IoT Botnet that survives the reboots

Dark times are waiting ahead for cyber security specialists. At the end of April, 2018 Bitdefender’s researchers have spotted a new improved version of world’s first peer-to-peer communicating IoT Botnet ‘Hide and Seek’ that now is able to remain in the infected device even after a full reboot.

HideNSeek botnet survives restore

If you ever had your operating system infected by any type of malware, you probably know about the good old-fashioned reboot. Its miracle power to restore everything before the infection from a backup has been (and still is) the main method to recover deleted, infected or virus encrypted files,  when other tools and techniques won’t work. Sadly, after new Bitdefender’s discovery of a “Hide ’N Seek’ IoT Botnet backups and reboots won’t save us anymore.

Bogdan Botezatu, senior e-threat analyst at Bitdefender, explained in his report:

Malware copies itself in the /etc/init.d/ and adds itself to start with the operating system. In order to achieve persistence, the infection must take place via Telnet, as root privileges are required to copy the binary to the init.d directory.

It subsequently opens a random UDP port that is propagated to the neighboring bots. This port will be used by the cyber-criminals to get in touch with the device.

The previous version of bonnet did not have this persistent capability, just like some other adjustments, e.g. two new vulnerabilities to compromise more IPTV camera models and also recognition of the additional two device types. However even the never version of ‘HNS’ still doesn’t support DDoS attacks.

Since January, 2018 ‘HNS’ bonnet infected around 90,000 unique devices.

Botezatu also wrote:

This attack avenue targets a wide range of devices and architecture. Our research shows that the bot has 10 different binaries compiled for various platforms, including x86, x64, ARM (Little Endian and Big Endian), SuperH, PPC and so on.

Compared to ‘Hide and Seek’s’ initial release the functionality hasn’t changed much, but as Bitdefender’s scientists assume – cyber crooks are simply not ready yet to reveal all the weapons they have, since main goal now is to ‘seize as many devices as possible’ first.

Reading about this discovery and predictions makes you wonder how much more does ‘Hide and Seek’  IoT Botnet has to offer. The ability to survive a reboot is already a big game-changer in a cyber security world and an immense headache for infected device owners. However if analysts are right and that there will be more updates on ‘Hide and Seek’ will we be prepared enough to withstand such attacks or is it a call for a new, stronger IT security era.

While Bitdefender and other antivirus companies are working on different than usual malware removal approaches, we wish you luck on NOT catching the naughty ‘Hide and Seek’ Botnet.


Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Security Guides

Recent Comments