Hide'n'Seek: an adaptive peer-to-peer IoT botnet

Friday 5 October 10:00 - 10:30, Red room

Adrian Șendroiu (Bitdefender)
Vladimir Diaconescu (Bitdefender)

Along with the rise of IoT products and technologies comes the growth and evolution of IoT botnets; the impact of Bashlite, Mirai and Reaper, to name a few, are a testament to that fact. This paper presents a thorough analysis of the inner workings of Hide'n'Seek (or HNS), a peer-to-peer botnet discovered in January 2018. With an exploit table that can be updated in memory, and modular in its approach, HNS gives us a glimpse of what kinds of IoT threats we will encounter in the years to come. Starting from a humble list of 12 infected machines, it has undergone a few updates and reached tens of thousands of victims around the world. While this particular botnet amassed an impressive number of victims, its more interesting characteristics lie with other novelties and peculiarities discovered during our investigation.

In contrast with other botnets, which rely on a centralized, asymmetric architecture with one or more C&Cs and multiple bots, HNS uses a custom-built peer-to-peer system in which any peer can both issue and receive commands. This somewhat different approach to the traditional IoT botnet landscape brings about new challenges moving forward. For instance, some of the design choices, such as the P2P model, lead to an increased difficulty in analysing and taking down such a threat. One notable feature is the presence of a dynamic table of exploits as well as a reputation system - 'knowledge' - among peers which allows for new exploits to be added and spread autonomously through the network.

Even though the capabilities of the botnet, such as propagation (worm-like behaviour), peer-discovery, data exfiltration and modularity are laid bare, the intent, origin and business model of the botnet is subject to speculation, since it oddly features no DDoS elements at the time of our investigation. However, such elements may become available in potential future updates to the expanding botnet.

Other VB2018 papers

VB2018 opening address

Martijn Grooten (Virus Bulletin)

Uncovering the wholesale industry of social media fraud: from botnet to bulk reseller panels

Masarah Paquet-Clouston (GoSecure)

Under the hood - the automotive challenge

Inbar Raz (Argus Cyber Security)