Hide and Seek: The first IoT botnet to survive device resets is caught
A botnet has been discovered by security researchers which is the first to survive resets of compromised devices.
Researchers from Bitdefender published their findings today. The malware strain, which they’ve dubbed ‘Hide and Seek’ (HNS) for self-explanatory reasons, copies itself to the /etc/init.d/ folder.
This folder contains the daemon scripts for Linux-based systems which are often used for devices like IoT products and routers. By placing itself here, it can automatically be run again to re-infect the device following a reboot.
Bitdefender first spotted the HNS malware back in early January. By the end of the month, it grew to around 32,000 devices. Since then, it’s infected around 90,000 unique devices.
Researchers say HNS has become more advanced in this time. Whereas it would previously guess passwords, now it can identify types of devices and login using their default credentials.
The discovery is a concerning moment for IoT security. Even the infamous ‘Mirai’ botnet, which caused record-breaking DDoS attacks, was unable to survive a device reset. Although, Kaspersky Labs discovered a Windows variant of Mirai whereas HNS is currently limited to Linux.
Kurt Baumgartner, Principal Security Research at Kaspersky Labs, said at the time:
“The appearance of a Mirai crossover between the Linux platform and the Windows platform is a real concern, as is the arrival on the scene of more experienced developers.
A Windows botnet spreading IoT Mirai bots turns a corner and enables the spread of Mirai to newly available devices and networks that were previously unavailable to Mirai operators. This is only the beginning.”
Time is said to reveal all, and it seems Baumgartner was right — Mirai was only the beginning. Hide and Seek could pose an even greater threat.