HEH malware destroys all data on IoT devices

HEH malware destroys all data
Written by Emma Davis

Qihoo 360 specialists have warned of a new HEH malware, which infects IoT devices, can completely reset them and destroy all data, including the OS and firmware.

The botnet is known for spread by brute force, attacking any gadgets with open SSH ports connected to the Internet (23 and 2323).

If the device uses default credentials or a simple combination of username and password, which are easy to guess, the botnet gains access to the device, where it immediately downloads one of seven binaries and installs the HEH malware itselftold in Qihoo 360.

Interestingly, while HEH does not contain practically any functions, that is, it does not engage in DDoS attacks, does not install miners, and does not use infected devices as a proxy.

Instead, the malware forces affected IoT devices to attack other devices via SSH, allows attackers to execute shell commands, and demonstrates destructive behavior: it can execute a list of predefined shell operations, destroy all partitions, and thereby erase all data on the device.

HEH malware destroys all data
It looks like HEH is trying to self-destruct in this way, but clearing all partitions will completely erase the firmware or OS and may temporarily disable the device. Even worse, not all users will be able to reinstall the firmware on their IoT devices after such an attack, and finally they can simply throw away the old device and buy a new one instead.

So far, researchers have not established whether such behaviour of the malware is intentional or whether the hackers simply made a mistake in the code.

Thousands of devices, including routers, various IoT devices and even Linux servers, can fail due to this function. For example, the botnet is capable of infecting any device with open SSH ports, including Windows systems, but the HEH malware itself only works against *NIX platformssaid Qihoo 360 experts.

Currently, have been identified HEH samples that pose a threat to the following architectures: x86 (32/64), ARM (32/64), MIPS (MIPS32/MIPS-III), and PPC.

It should be noted that if conduct of the malware is not an error, then HEH is not the first botnet to deliberately damage infected devices. The first in this area was the BrickerBot malware, active in 2017, which deliberately crippled poorly secured IoT devices, thereby drawing attention to the problems of the Internet of things and teaching users a brutal lesson.

In 2019, it acquired a worthy successor, the Silex malware, which also attacked IoT devices and deliberately turned them into “stones”.

There are, however, more inventive botnets for the Internet of Things: for example, we wrote about the New Dark Nexus IoT botnet, which is “sharpened” for DDoS attacks, and that Ares IoT botnet infects Android devices by HiSilicon, Cubetek and QezyMedia.

RELATED: Our article on how to protect IoT devices.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply