Security researchers have discovered the re-emergence of the Hide and Seek IoT botnet, which is the first of its type to be able to survive a device reboot.

Initially discovered in January this year by Bitdefender, the botnet has managed to infect around 90,000 devices worldwide. Researchers believe that the current intention of its designers is to infect as many possible devices as possible before adding capabilities that will monetize the botnet, like the ability to carry out DDoS attacks.

The most recent version is the first to gain persistence – the ability to survive a reboot. Previously, devices have been returned to a ‘clean state’ when rebooted. However, the Hide and Seek botnet is able to survive this, as long as the infection took place via Telnet.

This is because the malware copies itself into the /etc/init.d/ and makes it start alongside the operating system. It needs root privileges to copy the binary into this directory, hence the requirement that the infection takes place via Telnet in order to gain persistence.

hide and seek worldmap

The spread of the Hide and Seek botnet as of January 2018. Credit: Bitdefender

Given the number of devices infected, and its newfound ability to survive a reboot, the discovery could have significant implications. John Moor, managing director of the IoT Security Foundation, which provides best practice advice, believes there is an issue with awareness in the industry.

“I’ve been in tech for more than 30 years now and have been an ambassador for an innovation. But we’re now at a point where we need to proceed more cautiously. With IoT, we took two steps back in terms of security. We had issues with PC and mobile security and made progress with those, but now we are back in a worse position with IoT,” he said.

“Manufacturers have little understanding of the attack surface that opens up, due to connectivity. Regulation is something that nobody really wants, but it’s quite clear that it’s something we need.”

Stephen Gailey, solutions architect at Exabeam, commented: “Increasingly machine learning techniques as part of entity analytics monitoring is the only way to identify and ultimately shut down these botnets. Already there are far more Internet-connected devices active in the world – only behavioural analytics for systems stands a chance of combating those who seek to take control of them.”

Samples of the Hide and Seek malware found by Bitdefender target a number of generic devices, which once infected look for nearby peers looking for the presence of the Telnet service. Once this is found, the infected device will attempt brute force access. In turn, if this is successful, the malware restricts access to stop a competing bot from hijacking the device.