Recently, security researchers at Netlab (the network security division of Chinese tech giant Qihoo 360) discovered a new botnet called HEH, which contains code which can remove all data from infected systems such as routers, servers and IoT (Internet of Things) devices. The HEH botnet spreads through brute-force attacks against any internet-connected system that has its SSH ports (23 and 2323) exposed on the internet.
If the device uses default SSH credentials or SSH credentials that are easy to guess, botnet gains access to the target system, where it instantly downloads one of the seven binaries archives who install the HEH malware. This malware does not have "aggressive" features, such as the ability to run DDoS attacks, the ability to install crypto-miners or code to execute proxies.
According to ZDNet, the only features of this malware are a feature that traps infected Appliances and forces them to execute SSH brute-force attacks on the internet to help boost the botnet. This feature allows hackers execute Shell commands on the infected device. At the same time, a variant of this second feature that executes a list of predefined Shell functions removes all data from a device.
HEH was first analyzed in a report published yesterday. Because this is a relatively new botnet, Netlab researchers can't figure out if device data removal is intentional or just a self-destructive routine with "bad" encoding. But regardless of its purpose, if this feature is enabled, it could shut down hundreds or even thousands of devices.
HeH targets, among others, home routers, smart IoT devices and Linux servers. The botnet can infect anything with low security SSH ports, even systems Windows. However, HEH malware only works on * NIX platforms.
In addition, HeH affects the firmware or operating system of a device, having the ability to shut down the device until the firmware or operating system is reinstalled. Some device owners may not know how to reinstall firmware on their IoT device and may simply choose to discard the old device and purchase a new one.
Netlab says it has identified HEH samples that can be run on the following CPU architectures x86 (32/64), ARM (32/64), MIPS (MIPS32 / MIPS-III) and PPC. The botnet is still spreading.