New Botnet Wipes Disks & Memory on Routers & IoT Devices


There’s a new botnet in town and this one is creating some serious new security risks.

HEH was discovered by security researchers from Netlab and is a botnet that contains code that can wipe all data from infected systems such as routers, servers, and IoT (Internet of Things) Devices.

The way the botnet works is by launching brute-force attacks against any internet-connected system that has SSH ports exposed online.

If the device that has SSH ports exposed online uses default or easy-to-guess SSH credentials, the botnet can easily gain access to the system.

Once it gains access, it downloads one of seven binaries that install the HEH Malware.

Interestingly, the HEH botnet does not contain any offensive features like launching DDoS attacks or installing crypto-miners. It also doesn’t use code to run proxies and relay traffic for bad actors.

HEH Botnet

Really, the main function lets attackers run Shell commands on the infected device.

A function that ensnares infected devices and coerces them to perform SSH brute-force attacks across the internet to help amplify the botnet.

The second feature then executes a list of predefined Shell operations that wipe all of the device’s data.

Netlab researches who discovered the botnet and are studying it said they can’t tell if the “device-wiping operation is intentional or just a poorly coded self destruction routine.”

Regardless if it was designed to wipe data or not, it could potentially cause hundreds of thousands of devices to be wiped of data.

This includes home routers, IoT smart devices, and yes, even Linux Servers.

The HEH malware works solely on *NIX platforms but can infect anything with an unsercured or weakly secured SSH, even Windows Systems.

Since wiping all partitions also wipes the device’s firmware or operating system, this operation has the potential to temporarily brick devices — until their firmware or operating systems are reinstalled.

Some device owners may not have the knowledge to reinstall firmware on their IoT equipment which means permanent data loss and devices that simply no longer work.

The botnet is still spreading and Netlab detected HEH on the following CPU architectures: x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III) and PPC.

About the author


Denise Elizabeth

Denise is one of our Senior Editors who has over 5 yrs hands-on Experience in the IT Software Procurement industry as well as extensive experience in forensic accounting.

Denise has a Master Degree in Organization Development and a Bachelors in Science in Accounting & Business Administration. He career path has taken her through several Tech companies and she's come to work for ITDM full-time as our Senior Editor.

What Topics Interest You?