In late January 2018, a new IoT botnet was reported by Bitdefender. The botnet uses several known vulnerabilities to infect new devices and utilizes a home-brewed P2P protocol to facilitate communication across the botnet. While different in many ways, this botnet’s infection vectors and techniques are very similar to Mirai’s techniques. In fact, many parts of the related functions exhibit all the signs of a code reuse, as was noted in April 2018 by J. Manuel from Fortinet.Caption: Hide 'N Seek infected device activity within the last hour
Hide 'N Seek has two main functionalities. It contains a scanner whose code seems to be mostly borrowed from the released Mirai source code. This scanner tries to reach random IP addresses through predefined ports (ports 80, 8080, 2480, 5984, and 23) and then exploit the devices that respond. If the exploits fail, the scanner will try to brute force credentials with the help of its hard-coded dictionary. The second functionality facilitates the communication protocol which is capable of spreading information about new peers, distributing new binaries, or propagating files from an infected device.
Each client contains a configuration file with a list of SHA-512 hashes of other files that are available in the botnet, along with their respective file lengths. To retrieve a configuration file from a peer, we need to query the peer for a file with a zero-hash. Using the command “h” we may retrieve its version beforehand. Afterwards, retrieving all the files available is just a matter of parsing the configuration file and querying contained hashes.
To avoid brute forcing peers, we employ a simple failure-rate based failsafe that will stop queries if they are unsuccessful after a certain number of attempts. Currently, several ELF architectures are supported by this botnet, for example, x86, SuperH, MIPS, and ARM. Furthermore, the configuration file also contains hashes for a miner, based on the open-source coinminer-opt.
As the botnet's architecture is only P2P, all the data necessary for analysis is obtainable through clients. To estimate the pervasiveness of the botnet, we have exploited this property to recursively get new peers, along with their interconnections.Caption: Discovered (yellow) and active (green) Hide 'N Seek peers
Unfortunately, every peer selects a subset of its peer-list (usually one or two clients) that may be shared with a peer on that day. Therefore, we had to expand our list over time. It took us a few days to gather a list of one thousand peers, and thereafter, the growth was more or less consistent with one to two thousand new peers per day. A list of currently active peers is disproportionately smaller, with approximately 14% active during a one day sliding window.
So far, the botnet activity seems to be moving from Asia to Europe; however, that may just be an artefact created by the nature of client discovery.Caption: Hide 'N Seek infected device activity over the past 12 months
- Blog posts related to Hide 'N Seek
-  New Hide ‘N Seek IoT Botnet using custom-built Peer-to-Peer communication spotted in the wild, accessed 20.10.2018
-  Searching for the Reuse of Mirai Code: Hide ‘N Seek Bot, accessed 20.10.2018