A new botnet called Hide’N Seek, was intercepted by Bitdefender’s honeypots system following an attack by bruteforce via the Telnet service. The bot was first detected on January 10th, 2018, then disappeared a few days later, before reappearing on January 20th, 2018 in a improved version. The botnet incorporates an auto-replication mechanism that randomly generates a list of IP addresses to obtain potential targets.
Then, it initiates a raw socket connection with SYN flag to each host in the list and continues to communicate with those who responded to the request on specific destination ports (23 2323, 80, 8080). Once the connection is established, the botnet checks if a specific banner (“buildroot login:”) is present with the victim. Once a session is established with a new victim, the sample executes an automaton to correctly identify the targeted device and selects the most suitable compromise method.
After the famous Hajime botnet, Hide’N Seek is the second botnet which used a decentralized peer-to-peer architecture. While IoT botnets have existed for years now, mainly used for DDoS attacks, the analysis of the Hide’N Seek botnet reveals a higher level of complexity and new capabilities such as information theft potentially suited to espionage and extortion. Like other botnets, Hide’N Seek is not persistent, and a simple restart can clean infected devices.