Hide'n'Seek: an adaptive peer-to-peer IoT botnet

Presented at VB2018, Oct. 5, 2018, 10 a.m. (30 minutes)

Along with the rise of IoT products and technologies comes the growth and evolution of IoT botnets; the impact of Bashlite, Mirai and Reaper, to name a few, are a testament to that fact. This paper presents a thorough analysis of the inner workings of Hide'n'Seek (or HNS), a peer-to-peer botnet discovered in January 2018. With an exploit table that can be updated in memory, and modular in its approach, HNS gives us a glimpse of what kinds of IoT threats we will encounter in the years to come. Starting from a humble list of 12 infected machines, it has undergone a few updates and reached tens of thousands of victims around the world. While this particular botnet amassed an impressive number of victims, its more interesting characteristics lie with other novelties and peculiarities discovered during our investigation. In contrast with other botnets, which rely on a centralized, asymmetric architecture with one or more C&Cs and multiple bots, HNS uses a custom-built peer-to-peer system in which any peer can both issue and receive commands. This somewhat different approach to the traditional IoT botnet landscape brings about new challenges moving forward. For instance, some of the design choices, such as the P2P model, lead to an increased difficulty in analysing and taking down such a threat. One notable feature is the presence of a dynamic table of exploits as well as a reputation system - 'knowledge' - among peers which allows for new exploits to be added and spread autonomously through the network. Even though the capabilities of the botnet, such as propagation (worm-like behaviour), peer-discovery, data exfiltration and modularity are laid bare, the intent, origin and business model of the botnet is subject to speculation, since it oddly features no DDoS elements at the time of our investigation. However, such elements may become available in potential future updates to the expanding botnet.

Presenters:

  • Vladimir Diaconescu - Bitdefender
    Vladimir Diaconescu Vladimir Diaconescu is a security researcher at Bitdefender, focusing on reverse engineering, IoT security and honeypots.Passionate about low-level, novel analysis techniques and with a penchant for non-orthodox approaches, solutions and jokes, he gets his kicks from playing in Capture The Flag competitions.
  • Adrian Șendroiu - Bitdefender
    Adrian Șendroiu Adrian Șendroiu is a security researcher working for the Romanian company Bitdefender. His fields of interest include IoT security and reverse engineering. He previously worked as a research assistant at the National University of Singapore, covering various topics related to systems security.

Links:

Similar Presentations: