‘Heh’ Botnet Targets Telnet on IoT Devices

Endpoint Security , Fraud Management & Cybercrime , Governance & Risk Management

Researchers Say Bot Code Could Wipe Disks Clean

'Heh' Botnet Targets Telnet on IoT Devices The shell commands the Heh bot code uses to wipe the disk of infected devices (Source: Netlab 360.com)

Security researchers with the Chinese company Qihoo say they’ve spotted a new IoT botnet that brute forces telnet ports on routers and other devices and is coded with a command to erase infected devices.

See Also: Live Webinar | PKI as a Service: Exploring the Benefits and Selecting a Provider

The botnet code also has a somewhat odd feature: It briefly displays the United Nations’ Universal Declaration of Human Rights and is coded to display it in eight languages, according to a blog post from Network Security Research Lab, known as Netlab, which is part of Qihoo.

The botnet is written in the Go programming language. Netlab named it “Heh” because that appears to be the project name inside the code. Heh’s malicious scripts and binary was posted on a paste site called pomf.cat, Netlab writes.

Netlab’s sample of the botnet came from running a shell script named wpqnbw.txt, which then downloads other components. The botnet targets devices running a variety of architectures, including ARM, x86, MIPS and PowerPC. The shell script downloads all of the malicious code without checking which code may be appropriate for a targeted device, Netlab says.

“It is spreading through brute force of the telnet service on ports 23/2323, which means the bot does not really care what the end devices are; as long as it can enter the device, it will try its luck to infect the target,” Netlab writes.

Researchers with IBM recently noted the growth of the Mozi malware, which, like Heh, is a peer-to-peer botnet that targets IoT devices. IBM says the growth of IoT devices along with poor configuration practices likely led to the rise of Mozi, which comprises about 90 percent of IoT botnet traffic (see Researchers Find Mozi Botnet Continues to Grow)

Political Statement?

Heh uses a password dictionary with 171 usernames and 504 passwords to try to take over devices, such as routers, running telnet. It’s generally advised that manufacturers ship devices with telnet turned off rather than leave it on by default with factory-set authentication credentials. Netlab says it opted not to share the password list for security reasons.

Netlab says the Heh bot code has three modules: propagation, a local HTTP service and a peer-to-peer communication module. (Source: Netlab 360.com)

When it infects a device through a successful telnet login attempt, it starts looking for its peers. It also starts an HTTP server on port 80. That’s when the human rights charter briefly appears, Netlab says.

“These initial contents of the Universal Declaration of Human Rights will soon be overwritten by the data pulled by the sample from peer’s HTTP service port, and these contents can also be updated through specific instructions in the P2P protocol,” Netlab says.

It’s not clear whether inclusion of the Universal Declaration of Human Rights signals a political motivation by those who wrote the bot code.

Immature Malware

The botnet code, however, is far from refined. For example, it isn’t coded to carry out a common malicious function of botnets, such as the ability to conduct a distributed denial-of-service attack, Netlab says.

“The attack function in the code is just a reserved empty function and has not been implemented,” Netlab writes. “It can be seen that the botnet is still in the development stage.”

The bot code maintains an internal list of peers, but individual nodes can’t send control commands. The peer-to-peer implementation also has flaws, Netlab notes. But it is coded to wipe a device. If the botnet received a command with the number 8, the bot will wipe out the disk with a series of shell commands.

Netlab also expects Heh could be improved, making it more harmful. “With that being said, the new and developing P2P structure, the multiple CPU architecture support and the embedded self-destruction feature all make this botnet potentially dangerous,” Netlab says.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips