A new Internet of Things botnet is the first of its kind to use custom-built peer-to-peer communication to spread to new targets.
Dubbed Hide 'N Seek (HNS) by the researchers at security company Bitdefender, the botnet first appeared in early January before disappearing then re-emerging on January 20.
The botnet communicates between devices using a decentralised peer-to-peer mechanism. It uses the same exploit as the Reaper botnet to infect devices, although there's currently no indication that the two armies of hijacked machines are related.
While Hide 'N Seek isn't the first botnet to have a peer-to-peer element -- the Hajime botnet used P2P architecture -- but rather than being constructed around a existing BitTorrent protocol, HNS uses a custom-built P2P system.
Equipped to carry out commands including data exfiltration, code execution, and interfering with a device's operation, initial reports said 2,700 devices were infected by the malware as of the end of January 23.
Now, under 48 hours later, the figure is thought to be over 24,000, and the botnet has spread around the globe. This is a network which just days ago was only made up of 12 devices in South-East Asia.
Many of the initial infections appear to be based around IP cameras made by a South Korean manufacturer, but the botnet isn't specifically targeting these devices; this only appears to be an initial starting point for carrying out attacks against other hardware.
The HNS botnet spreads via the use of a worm-like mechanism which generates IP addresses at random, before attempting a raw socket SYN connection to each of the devices on the list. If successful, the bot looks for the 'buildroot login' banner presented by the device and attempts to login with a set of predefined credentials.
If this isn't successful, the attack uses a form of brute force in the form of a dictionary attack, attempting to pair together words from a hardcoded list in order to crack the device passcode.
Once successfully penetrated, the bot runs a process to identify what the target device is and how to further compromise it. For example, if additional targets are on the same LAN as the bot, it sets up a TFTP (Trivial File Transfer Protocol) server to deliver additional malware.
Meanwhile, if the victim is infiltrated via the internet, the bot uses remote payload delivery to get the victim to download the malware. All the exploitation techniques are preconfigured and are located in a digitally signed memory location in order to prevent the code from being tampered with.
Once a device is infected, the malware can take control of it and use commands to do as it pleases -- and it's for far more than carrying out DDoS attacks.
"The infection agents include a state machine that identifies what device or operating system it infected, thus enabling the botnet owner to execute a command like exfiltrate the wifi.conf file from all devices of a certain type. Long story short, the attacker can request any file they want from the infected systems," Alex Balan, chief security researcher at Bitdefender, told ZDNet.
While some malicious botnets have previously been disabled once the main server was taken down, in the case of Hide 'N Seek, this approach is much more difficult because its peer-to-peer nature means there's no central command unit to hunt for when looking to disrupt it.
"Each infection is also a command and control server, file server and platform for redistribution," said Balan.
The rapid expansion of the Hide 'N Seek botnet is accompanied by constant redesign, indicating that it is likely the work of a sophisticated hacking group.
In order to have the best chance of preventing IoT devices being roped into a malicious botnet, it's important to ensure that -- if possible -- the default password of the product is changed to something complex.