There’s a new botnet in town and this one is creating some serious new security risks.
HEH was discovered by security researchers from Netlab and is a botnet that contains code that can wipe all data from infected systems such as routers, servers, and IoT (Internet of Things) Devices.
The way the botnet works is by launching brute-force attacks against any internet-connected system that has SSH ports exposed online.
If the device that has SSH ports exposed online uses default or easy-to-guess SSH credentials, the botnet can easily gain access to the system.
Once it gains access, it downloads one of seven binaries that install the HEH Malware.
Interestingly, the HEH botnet does not contain any offensive features like launching DDoS attacks or installing crypto-miners. It also doesn’t use code to run proxies and relay traffic for bad actors.
Really, the main function lets attackers run Shell commands on the infected device.
A function that ensnares infected devices and coerces them to perform SSH brute-force attacks across the internet to help amplify the botnet.
The second feature then executes a list of predefined Shell operations that wipe all of the device’s data.
Netlab researches who discovered the botnet and are studying it said they can’t tell if the “device-wiping operation is intentional or just a poorly coded self destruction routine.”
Regardless if it was designed to wipe data or not, it could potentially cause hundreds of thousands of devices to be wiped of data.
This includes home routers, IoT smart devices, and yes, even Linux Servers.
The HEH malware works solely on *NIX platforms but can infect anything with an unsercured or weakly secured SSH, even Windows Systems.
Since wiping all partitions also wipes the device’s firmware or operating system, this operation has the potential to temporarily brick devices — until their firmware or operating systems are reinstalled.
Some device owners may not have the knowledge to reinstall firmware on their IoT equipment which means permanent data loss and devices that simply no longer work.
The botnet is still spreading and Netlab detected HEH on the following CPU architectures: x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III) and PPC.