Hide-N-Seek IoT botnet

Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise.The malware strain that achieved something that even the Mirai strain couldn't.

This is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device.

The reset operation flushed the device's flash memory, where the device would keep all its working data, including IoT malware strains.

By placing itself in this menu, the device's OS will automatically start the malware's process after the next reboot.

Experts say HNS has infected 90,000 unique devices from the time of discovery until today.

Crooks used two exploits to create their initial botnet, which was unique from other IoT botnets active today because it used a custom P2P protocol to control infected systems.

Now, experts have found new HNS versions that have added support not only for two other exploits [1] but also for brute-force operations.

[1] The Botnet can utilise the following exploits:

• TP-Link-Routers RCE
• Netgear RCE
• (new) AVTECH RCE
• (new) CISCO Linksys Router RCE
• (new) JAW/1.0 RCE
• (new) OrientDB RCE
• (new) CouchDB RCE

What this means is that HNS infected devices will scan for other devices that have an exposed Telnet port and attempt to log into that device using a list of preset credentials.

Researchers say that HNS authors have also had time to fine-tune this brute-forcing scheme, as the malware can identify at least two types of devices and attempt to log into those systems using their factory default credentials, instead of blindly guessing passwords.

Furthermore, the HNS codebase also received updates, and the bot now has ten different binaries for ten different device architectures.

The HNS botnet utilises greater processing power than before since it now scans the following ports for potential exploitation:

23 Telnet
80 HTTP Web Service
2480 OrientDB
5984 CouchDB
8080 HTTP Web Service
… it has also been known to scan for other random ports

HNS is easy to spot since it is the second most prevalent botnet after Hajime. Most of these botnets are trying to infect OrientDB servers.

Here is the list of services that are affected:
Added exploits for AVTECH devices (webcam, webcam), CISCO Linksys router, JAWS/1.0 web server, Apache CouchDB, OrientDB; with the two devices mentioned in the original report, HNS currently supports 7 exploiting methods altogether
Hard-coded P2P node addresses have been increased to 171;
In addition, we observed that the HNS botnet adds a cpuminer mining program, it is not functioning properly yet.
In particular, with the added support of OrientDB and CouchDB database servers, HNS is no longer just an IoT botnet, but a cross-platform botnet now.

Copyright© HighonItBlog 2018