New HNS Botnet

New Hide ‘N Seek IoT Botnet spotted in the wild

New Hide ‘N Seek IoT Botnet using custom-built Peer-to-Peer communication spotted in the wild.

Bitdefender researchers have uncovered an emerging botnet that uses advanced communication techniques to exploit victims and build its infrastructure. The bot, dubbed HNS, was intercepted by our IoT honeypot system following a credentials dictionary attack on the Telnet service.

The bot was first spotted on Jan. 10 then faded away in the following days, only to re-emerge on Jan. 20 in a significantly improved form.

The HNS botnet communicates in a complex and decentralized manner and uses multiple anti-tampering techniques to prevent a third party from hijacking/poisoning it. The bot can perform web exploitation against a series of devices via the same exploit as Reaper (CVE-2016-10401 and other vulnerabilities against networking equipment).

The bot embeds a plurality of commands such as data exfiltration, code execution and interference with a device’s operation.


The bot features a worm-like spreading mechanism that randomly generates a list of IP addresses to get potential targets. It then initiates a raw socket SYN connection to each host in the list and continues communication with those that answer the request on specific destination ports (23 2323, 80, 8080). Once the connection has been established, the bot looks for a specific banner (“buildroot login:”) presented by the victim. If it gets this login banner, it attempts to log in with a set of predefined credentials. If that fails, the botnet attempts a dictionary attack using a hardcoded list.

Once a session is established with a new victim, the sample will run through a “state machine” to properly identify the target device and select the most suitable compromise method. For example, if the victim has the same LAN as the bot, the bot sets up TFTP server to allow the victim to download the sample from the bot. If the victim is located on the internet, the bot will attempt a specific remote payload delivery method to get the victim to download and run the malware sample. These exploitation techniques are preconfigured and are located in a memory location that is digitally signed to prevent tampering. This list can be updated remotely and propagated among infected hosts.

The samples identified in our honeypots on Jan. 10 revolved around IP cameras manufactured by a Korean company. These devices seemed to play a major role in the botnet as, out of the 12 IP addresses hardcoded in the sample, 10 used to belong to Focus H&S devices. The new version, observed on Jan. 20, dropped the hardcoded IPs.

Like other IoT bots, the newly discovered HNS bot cannot achieve persistence, and a reboot would bring the compromised device back to its clean state. It is the second known IoT botnet to date, after the notorious Hajime botnet, that has a decentralized, peer-to-peer architecture. However, if in the case of Hajime, the p2p functionality was based on the BitTorrent protocol, here we have a custom-built p2p communication mechanism.

UDP communication mechanism

The bot opens a random port on the victim, and adds firewall rules to allow inbound traffic for the port. It then listens for connections on the open port and only accepts the specific commands described below. Our initial look at the sample revealed an elliptic curve key inside the file that is used to authenticate the command which updates the memory zone where configuration settings are stored, to prevent infiltration or poisoning attempts against the botnet.


While IoT botnets have been around for years, mainly used for DDoS attacks, the discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft – potentially suitable for espionage or extortion.

It is also worth noting that the botnet is undergoing constant redesign and rapid expansion.

credit: BitDefender