Security researchers from BitDefender have discovered a new form of the 'Hide and Seek' IoT malware, which targets several generic devices.
The most worrying aspect of this new strain is its ability to persist despite a reboot. With previous versions, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device.
Hide and Seek's original version, discovered in January 2018, was notable for using a proprietary peer-to-peer network for both C&C and new infection communication. With persistence now added to the feature mix, the botnet has become a more pressing concern for owners of the 90,000+ IoT devices already infected and other equipment that are vulnerable and still unprotected.
"The botnet seems to undergo massive development as new samples compiled for a variety of architectures have been added as payloads," said Bogdan Botezatu, senior e-threat analyst at Bitdefender, in a blog post concerning the new variant of the malware.
According to the Bitdefender researchers, there are at least 10 different versions of executables that can run on 10 different system variants.
Botezatu said that new binaries now include code to leverage two new vulnerabilities to compromise more IPTV camera models. “In addition to the vulnerabilities, the bot can also identify two new types of devices and pass their default username and passwords,” he said.
The malware targets several generic devices. Once infected, the device scan for neighboring peers for the presence of the telnet service. As soon as the telnet service is found, the infected device attempts brute-force access.
"New variations of the Hide and Seek malware continue to exploit common issues with system/software hardening in deployed IoT devices,” Irdeto global head of software protection John O’Connor said.
“The current generation of the Hide and Seek botnet could effectively be stopped in its tracks if diligent system hardening was applied during development, including proper management of applications, permissions, ports and user IDs/passwords. As a result, hardening should be a baseline requirement of a system in the development phase."
First published in Enterprise Innovation