Hide'n'Seek: an adaptive peer-to-peer IoT botnet

Friday 5 October 10:00 - 10:30, Red room

Adrian Șendroiu (Bitdefender)
Vladimir Diaconescu (Bitdefender)

Along with the rise of IoT products and technologies comes the growth and evolution of IoT botnets; the impact of Bashlite, Mirai and Reaper, to name a few, are a testament to that fact. This paper presents a thorough analysis of the inner workings of Hide'n'Seek (or HNS), a peer-to-peer botnet discovered in January 2018. With an exploit table that can be updated in memory, and modular in its approach, HNS gives us a glimpse of what kinds of IoT threats we will encounter in the years to come. Starting from a humble list of 12 infected machines, it has undergone a few updates and reached tens of thousands of victims around the world. While this particular botnet amassed an impressive number of victims, its more interesting characteristics lie with other novelties and peculiarities discovered during our investigation.

In contrast with other botnets, which rely on a centralized, asymmetric architecture with one or more C&Cs and multiple bots, HNS uses a custom-built peer-to-peer system in which any peer can both issue and receive commands. This somewhat different approach to the traditional IoT botnet landscape brings about new challenges moving forward. For instance, some of the design choices, such as the P2P model, lead to an increased difficulty in analysing and taking down such a threat. One notable feature is the presence of a dynamic table of exploits as well as a reputation system - 'knowledge' - among peers which allows for new exploits to be added and spread autonomously through the network.

Even though the capabilities of the botnet, such as propagation (worm-like behaviour), peer-discovery, data exfiltration and modularity are laid bare, the intent, origin and business model of the botnet is subject to speculation, since it oddly features no DDoS elements at the time of our investigation. However, such elements may become available in potential future updates to the expanding botnet.




Adrian Șendroiu

Adrian Șendroiu is a security researcher working for the Romanian company Bitdefender. His fields of interest include IoT security and reverse engineering. He previously worked as a research assistant at the National University of Singapore, covering various topics related to systems security.




Vladimir Diaconescu

Vladimir Diaconescu is a security researcher at Bitdefender, focusing on reverse engineering, IoT security and honeypots.
Passionate about low-level, novel analysis techniques and with a penchant for non-orthodox approaches, solutions and jokes, he gets his kicks from playing in Capture The Flag competitions.


Related links



   Download slides    Read paper    Watch video

Other VB2018 papers

Tracking Mirai variants

Ya Liu (Qihoo)
Hui Wang (Qihoo)

Android app deobfuscation using static-dynamic cooperation

Yoni Moses (Check Point)
Yaniv Mordekhay (Check Point)

Who wasn’t responsible for Olympic Destroyer?

Paul Rascagneres (Cisco Talos)
Warren Mercer (Cisco Talos)

Back to VB2018 Programme page

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.