A group of security researchers has discovered a new botnet called HEH . It is one of the many threats that exist on the network and that can put our computers at risk. However, this has a peculiarity, and that is that it can be used to erase routers, servers or any device from what we know as the Internet of Things that has been connected to that network.
HEH, the botnet that deletes devices
This recently discovered botnet has code that allows it to erase all data from the systems it has infected. This can cause a router, server or any IoT device to be affected and the data ends up erased.
It spreads through the launch of brute force attacks against any system connected to the Internet that has its SSH ports (23 and 2323) exposed on the network. In case the device uses default or easy-to-guess SSH credentials, the botnet gains access to the system, where it immediately downloads one of the seven binaries that install the HEH malware.
It should be noted that this HEH malware does not contain any offensive features, such as the ability to launch DDoS attacks, the ability to install cryptocurrency miners or the code to run proxies and redirect traffic to malicious sites.
HEH botnet features
However, among the characteristics that it does have, we can name the function that catches infected devices and forces them to carry out brute force SSH attacks over the Internet to help amplify the botnet. Also a feature that allows attackers to execute Shell commands on the infected device. It also has a variation of this second function that executes a list of predefined Shell operations that erase all partitions on the device.
The HEH botnet has been discovered by Netlab security researchers. This is a relatively new threat, so you don’t yet have all the information you need to know if wiping devices is a role you always do. However, they indicate that if this function is used frequently, it could lead to the blocking of hundreds or thousands of devices.
Among the equipment that could be affected by this threat, we can name routers , IoT devices of all kinds or servers . Basically it can infect any computer that has SSH ports with weak security. Here you must also include Windows systems.
Erasing partitions also erases the firmware or operating system of that device. This is what would cause computers to hang at least temporarily until the firmware or operating system is reinstalled. However, at one extreme it could mean that that equipment stops working forever, since it might not be easy to reinstall the firmware.
From Netlab they have indicated that they detected HEH samples that can run on the following CPU architectures: x86 (32/64), ARM (32/64), MIPS (MIPS32 / MIPS-III) and PPC.
