Researchers discover the first IoT worm that capable of surviving device reboots – Digitalmunition

security protection

Published on May 10th, 2018 📆 | 3993 Views ⚑


Researchers discover the first IoT worm that capable of surviving device reboots

In recent years, more and more attackers have turned their attention to a growing number of IoT devices because the security of the most Internet of Things devices is weak. For attackers, infecting enough IoT devices can monetize DDoS attacks. This is the most important way of monetizing most botnets.

Another obvious feature is that the worm usually crashes after rebooting because it must add itself to the autostart list to continue running.

Bitdefender researchers discovered that the version of the worm that had been updated since the end of April already had the ability to open itself since tracing the Internet of Things Hide and Seek (HNS) worm.

The HNS worm has all kinds of wonderful features. For example, the worm mainly uses the self-built P2P network protocol to infect and communicate with each other.

After NHS infects a device, it will open UDP protocol and randomly generate ports and then add it to the firewall whitelist to detect more devices.


At the same time, unlike other Internet of Things worms, the NHS does not have a DDoS module, which means that the attackers have not yet attempted to profit this way.

After analyzing, the researchers found that NHS has 10 different binary files built in. Each binary file corresponds to the Telnet protocol of different operating systems.

In order to achieve continuous operation to avoid the purpose of interruption, the worm needs to obtain root permission and add itself to /etc/init.d/ to start the boot.

Bitdefender researchers believe that the fact that the NHS does not have a DDoS module means that the attacker may have other purposes, such as espionage and eavesdropping.

The equipment that the NHS mainly infects is a webcam. It can not only view the content but also enter the intranet where the camera is located through the camera network.

It is estimated that 90,000 Internet cameras and other Internet-connected devices have been infected. It is recommended that users of IoT devices modify their passwords on a regular basis.

Leave a Reply ✍