A new botnet has been discovered that is able to render routers, servers, and Internet of Things (IoT) devices inoperable by wiping all data from infected systems. The finding was disclosed by security researchers from Netlab, the network security division of Chinese tech giant Qihoo 360.
Dubbed HEH, the botnet is written in Go language, and uses proprietary P2P protocol and contains three functional modules: propagation module, local HTTP service module and P2P module. It spreads by launching brute force attacks against any device, which has Telnet ports 23/2323 exposed to the internet.
The researchers discovered multiple malware samples supporting various CPU architectures, including x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III) and PPC. Once the botnet gained access to the system, it would download one of seven binaries that install the HEH malware.
“The HEH Botnet samples we captured was originally downloaded and executed by a malicious Shell script named wpqnbw.txt . The malicious Shell script then downloads and executes every single one of the malicious programs for all different CPU architectures, there is no environment checking or things like that, just run all the programs in turn,” the researchers wrote.
Currently, the botnet has only limited functionality without offensive capabilities, which means it is still in the development stage.
“At present, the most useful functions for the entire Botnet are to execute Shell commands, update Peer List and UpdateBotFile. The Attack function in the code is just a reserved empty function, and has not been implemented,” the research team said.
However, the analysis of the code revealed something interesting - when the bot receives a specific command it will try to wipe out everything on all the disks via the a series of Shell commands.
“The operating mechanism of this botnet is not yet mature, some important function such as attack module have not yet been implemented. Also the P2P implementation still has flaws, the Bot does maintain a Peer List internally, and there is ongoing Ping<-->Pong communication between peers, but the entire Botnet still is considered centralized, as currently the bot node cannot send control command. In addition, the mechanism of carrying the sample itself through the local HTTP Server is not very pretty. With that being said, the new and developing P2P structure, the multiple CPU architecture support, the embedded self-destruction feature, all make this botnet potentially dangerous,” the researchers concluded.