New HEH botnet can wipe routers and IoT devices

The disk-wiping feature is present in the code but has not been used yet.
Written by Catalin Cimpanu, Contributor
Image: Netlab

A newly discovered botnet contains code that can wipe all data from infected systems, such as routers, servers, and Internet of Things (IoT) devices.

Named HEH, the botnet spreads by launching brute-force attacks against any internet-connected system that has its Telnet ports (23 and 2323) exposed online.

If the device uses default or easy-to-guess Telnet credentials, the botnet gains access to the system, where it immediately downloads one of seven binaries that install the HEH malware.

This HEH malware doesn't contain any offensive features, such as the ability to launch DDoS attacks, the ability to install crypto-miners, or code to run proxies and relay traffic for bad actors.

The only features present are a function that ensnares infected devices and coerces them to perform Telnet brute-force attacks across the internet to help amplify the botnet; a feature that lets attackers run Shell commands on the infected device; and a variation of this second feature that executes a list of predefined Shell operations that wipe all the device's partitions.

Botnet is in its early stages of development

HEH was discovered by security researchers from Netlab, the network security division of Chinese tech giant Qihoo 360, and detailed for the first time in a report published today.

Because this is a relatively new botnet, Netlab researchers can't tell if the device-wiping operation is intentional or if it's just a poorly coded self-destruction routine.

But regardless of its purpose, if this feature ever gets triggered, it could result in hundreds or thousands of bricked and non-functioning devices.

This could include home routers, Internet of Things (IoT) smart devices, and even Linux servers. The botnet can infect anything with a weakly-secured Telnet ports, even Windows systems, but the HEH malware only works on *NIX platforms.

Since wiping all partitions also wipes the device's firmware or operating system, this operation has the potential to temporarily brick devices — until their firmware or operating systems are reinstalled.

However, in some cases, this could mean permanently bricked systems, as some device owners may not have the knowledge to reinstall firmware on their IoT equipment and may just choose to throw away the old and buy a new device instead.

Currently, Netlab said it detected HEH samples that can run on the following CPU architectures x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III) and PPC.

The botnet is still spreading.

HEH, while it hasn't bricked any devices yet, wouldn't be the first botnet that wipes IoT devices. The first two were BirckerBot and Silex.

The biggest Internet of Things, smart home hacks of 2019

Editorial standards