How HEH Botnet Spreads
The new IoT botnet was discovered by security researchers at Netlab, the network security division of Chinese tech giant Qihoo 360. The botnet is written in the Go programming language and uses a proprietary P2P communication protocol. Netlab researchers named the new bot HEH Botnet after the name of the project inside the sample files they discovered. HEH spreads by launching brute-force attacks against telnet services on ports 23 and 2323. If an internet connected device’s ports uses default or easy to guess telnet credentials, the botnet gains access to the device. Once it has access, the botnet immediately downloads seven binary program files that install the HEH Botnet. The sample HEH files captured by the researchers were originally downloaded and executed by a malicious Shell script named wpqnbw.txt. The script is unsophisticated, it just downloads the seven program files and runs them. “There is no environment checking or things like that, just run all the programs in turn,” the researchers wrote in their report. Analysis of the bot revealed that it contains three modules. Namely, a propagation module, a local HTTP service module and a P2P module.
HEH Botnet’s Features
HEH doesn’t contain any malicious features. For instance, it can’t launch DDoS attacks, it can’t mine cryptocurrency or infect devices with malware. Currently, HEH’s main function is to trap infected devices and force them to perform brute-force attacks to grow the botnet. The botnet also includes a feature that lets cybercriminals run malicious Shell commands on infected devices. However, the most interesting characteristic discovered in the bot, is code that can completely wipe infected IoT smart devices, rendering them inoperable. The code not only wipes data from IoT devices, it also wipes the device’s firmware or operating system. However, the disk wiping feature is present in the code but is not yet operational. Once operational, the code could wipe hundreds of devices such as home routers, IoT smart devices and even Linux servers. Furthermore, the malware supports multiple CPU architectures. “At present, the most useful functions for the entire Botnet are to execute Shell commands, update Peer List and UpdateBotFile. The Attack function in the code is just a reserved empty function, and has not been implemented,” explained the researchers.
Still Under Development
As the HEH Botnet currently only has limited functionality, Netlab searchers believe that the bot is probably still under development. “The operating mechanism of this botnet is not yet mature, some important function such as attack module have not yet been implemented. Also the P2P implementation still has flaws,” explained the researchers. However, the researchers concluded, that “the new and developing P2P structure, the multiple CPU architecture support, the embedded self-destruction feature, all make this botnet potentially dangerous.”
How to Prevent Attack
As most owners do not change factory-set authentication credentials on their IoT devices, they leave themselves open to botnet attacks. With some devices the default credentials are very easy to guess. Experts therefore advise that manufacturers ship devices with telnet turned off, rather than leave it on by default with factory-set authentication credentials. This would prevent customers becoming victims to the future fully functional HEH Botnet, as well as any other bots. To fix IoT devices wiped by the HEH botnet, owners would need to know how to reinstall firmware on the infected devices. Therefore, this could mean that some devices would remain inoperable, with owners choosing to throw them away and buying a new one instead.