New HEH botnet wipes devices potentially bricking them

A new botnet, tracked as HEH, discovered botnet implements a disk-wiping feature that allows it to wipe all data from the infected systems.

Researchers from from Netlab, the network security division of Chinese tech giant Qihoo 360, have discovered a new botnet, tracked as HEH, that contains the code to wipe all data from infected systems, such as routers, IoT devices, and servers.

Experts noticed that the malware supports multiple CPU architectures, including x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III) and PPC, it is written in the Go open-source programming language.

The botnet targets systems with SSH ports (23 and 2323) exposed online by launching brute-force attacks.

The name comes for the project inside the sample, the family samples analyzed by the experts were built by the author in the WSL environment on the Windows platform.

Upon gaining access to the device, the bot downloads one of seven binaries that install the HEH malware.

The analysis of the HEH Bot revealed that it contains three functional modules: propagation module, local HTTP service module and P2P module.

Experts pointed out that the bot doesn’t contain any offensive features, such as the ability to launch DDoS attacks or to mine cryptocurrency, a circumstance that suggests the malware is under development.

“At present, the most useful functions for the entire Botnet are to execute Shell commands, update Peer List and UpdateBotFile. The Attack function in the code is just a reserved empty function, and has not been implemented. It can be seen that the Botnet is still in the developement stage. We will see what the author comes up with the Attack feature.” reads the analysis published by the researchers.

The function for parsing Bot Cmd in Bot is main.executeCommand(), the most notable feature noticed by the experts it related to a cmd with code number 8. When the bot will receive this command it will try to wipe out the content of the disks through a series of Shell commands.

The malware is able to wipe content from home routers, Internet of Things (IoT) smart devices, and Linux servers.

Even if the botnet is still spreading, experts noticed that it has also other major problems in its implementation, for example, the P2P implementation still has flaws. Experts noticed that the Bot does maintain a Peer List internally, and there is ongoing Ping<–>Pong communication between peers, but the overall botnet still works with a centralized model. In the current version, each node cannot send control command to its peers.

“With that being said, the new and developing P2P structure, the multiple CPU architecture support, the embedded self-destruction feature, all make this botnet potentially dangerous.” concludes the post.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, HEH botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]