Endpoint Security , Fraud Management & Cybercrime , Governance & Risk Management

'Heh' Botnet Targets Telnet on IoT Devices

Researchers Say Bot Code Could Wipe Disks Clean
'Heh' Botnet Targets Telnet on IoT Devices
The shell commands the 'Heh' bot code uses to wipe the disk of infected devices (Source: Netlab 360.com)

Security researchers with the Chinese company Qihoo 360 say they’ve spotted a new IoT botnet that brute forces telnet ports on routers and other devices and is coded with a command to erase infected devices.

See Also: Malware Analysis Spotlight: Why Your EDR Let Pikabot Jump Through

The botnet code also has a somewhat odd feature: It briefly displays the United Nations’ Universal Declaration of Human Rights and is coded to display it in eight languages, according to a blog post from Network Security Research Lab, known as Netlab, which is part of Qihoo 360.

The botnet is written in the Go programming language. Netlab named it “Heh” because that appears to be the project name inside the code. Heh’s malicious scripts and binary programs were posted on a paste site called pomf.cat, Netlab writes.

Netlab’s sample of the botnet came from running a shell script named wpqnbw.txt, which then downloads other components. The botnet targets devices running a variety of architectures, including ARM, x86, MIPS and PowerPC. The shell script downloads all of the malicious code without checking which code may be appropriate for a targeted device, Netlab says.

“It is spreading through brute force of the telnet service on ports 23/2323, which means the bot does not really care what the end devices are; as long as it can enter the device, it will try its luck to infect the target,” Netlab writes.

Researchers with IBM recently noted the growth of the Mozi malware, which, like Heh, is a peer-to-peer botnet that targets IoT devices. IBM says the growth of IoT devices along with poor configuration practices likely led to the rise of Mozi, which comprises about 90% of IoT botnet traffic (see: Researchers Find Mozi Botnet Continues to Grow).

Political Statement?

Heh uses a password dictionary with 171 usernames and 504 passwords to try to take over devices, such as routers, running telnet. It’s generally advised that manufacturers ship devices with telnet turned off rather than leave it on by default with factory-set authentication credentials. Netlab says it opted not to share the password list for security reasons.

Netlab says the Heh bot code has three modules: propagation, a local HTTP service and a peer-to-peer communication module. (Source: Netlab 360.com)

When Heh infects a device through a successful telnet login attempt, it starts looking for its peers. It also starts an HTTP server on port 80. That’s when the human rights charter briefly appears, Netlab says.

“These initial contents of the Universal Declaration of Human Rights will soon be overwritten by the data pulled by the sample from Peer's HTTP service port, and these contents can also be updated through specific instructions in the P2P protocol,” Netlab says.

It's not clear whether inclusion of the Universal Declaration of Human Rights signals a political motivation by those who wrote the bot code.

Immature Malware

The botnet code, however, is far from refined. For example, it isn’t coded to carry out a common malicious function of botnets, such as the ability to conduct a distributed denial-of-service attack, Netlab says.

“The attack function in the code is just a reserved empty function and has not been implemented,” Netlab writes. “It can be seen that the botnet is still in the development stage.”

The bot code maintains an internal list of peers, but individual nodes can’t send control commands. The peer-to-peer implementation also has flaws, Netlab notes. But it is coded to wipe a device. If the botnet received a command containing the number 8, the bot will wipe out the disk with a series of shell commands.

Netlab also expects Heh could be improved, making it more harmful. “With that being said, the new and developing P2P structure, the multiple CPU architecture support and the embedded self-destruction feature all make this botnet potentially dangerous,” Netlab says.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.