A new botnet is growing around the world, feeding off unsecured IoT devices, mainly IP cameras, and getting ready to do some harm.
Discovered by security researchers from Bitdefender, the new botnet is called Hide 'N Seek (HNS), and according to experts, the botnet first appeared on January 10, died off for a few days, and came back strong over the weekend, on January 20.
In all this time, the botnet grew from an initial list of 12 compromised devices to over 14,000 bots, as of writing.
Unlike all the Internet of Things (IoT) botnets that have appeared in recent weeks, HNS is not another modification of the Mirai IoT malware source code that was leaked online last year.
In fact, according to Bogdan Botezatu, Bitdefender senior e-threat analyst, the HNS botnet is more similar to Hajime rather than Mirai.
"It is the second known IoT botnet to date, after the notorious Hajime botnet, that has a decentralized, peer-to-peer architecture," Botezatu says. "However, if in the case of Hajime, the P2P functionality was based on the BitTorrent protocol, here we have a custom-built P2P communication mechanism."
According to an analysis Botezatu authored today, each bot contains a list of IPs of other infected bots, a list that can be updated in real-time, as the botnet grows and bots are lost or gained.
HNS bots relay instructions and commands from one another, similar to the basics of the P2P protocol. Botezatu says an HNS bot can receive and execute several types of commands, such as "data exfiltration, code execution and interference with a device’s operation."
Surprisingly, Bitdefender experts did not find a DDoS function, meaning the botnet is intended to be deployed as a proxy network, similar to how most IoT botnets have been weaponized in the past year after DDoS functions drew too much attention and led to the downfall of many aggressive botnets.
The botnet spreads via dictionary brute-force attacks against devices with open Telnet ports. Just like its unique P2P bot management protocol, this spreading mechanism is also heavily customized. Botezatu explains below:
The good news is that just like all IoT malware, HNS cannot establish persistence on infected devices, meaning the malware is automatically removed with every device reboot.
This makes managing the HNS botnet a 24-hour job, with the botnet needing constant supervision from its creator in order to ensure the botnet continues to add new bots before the old ones die off.
In addition, because it's a new arrival on the IoT malware scene, HNS is also in a state of constant change, as its operator(s) explores new spreading and bot management techniques.
As many of these "new" botnets have had a tendency to disappear after a few weeks, let's hope HNS' author gets bored and abandons his "experiment."
A 14K botnet is nothing to ignore. If we learned anything from the ProxyM botnet is that you don't need tens of thousands of infected devices to run a profitable botnet. Four-five thousands are enough.