October 24, 2020

360 Netlab found a new HEH IoT P2P Botnet

2 min read

The 360 Netlab recently discovered the HEH botnet, which is equipped with a P2P protocol and spreads wildly on port 23/2323 through the Telnet service.

Its virus module is mainly used to infect IoT devices to form a botnet, which can execute arbitrary shell commands and use infected IoT devices to execute DDoS and crypto mining.

What surprised the researchers was that the botnet supports a variety of architectures, and the mainstream architectures are all aimed at using virus modules to spread and infect.

The supported architectures include x86 (32/64), ARM (32/64), MIPS32, MIPS-III, and even PPC.

Unlike traditional viruses that use specific servers and call specific domain names, the botnet samples discovered this time use the P2P protocol for decentralized transmission.

Infected devices will use a point-to-point protocol to connect, which builds local service modules and propagation modules to infect more devices around the infected device.

Of course, the core is still loopholes and weak passwords. Its built-in password library includes a dictionary consisting of 171 user names and 504 passwords to run the brute force attack on IoT devices.

If the device uses the default password and has never changed the password, it is extremely vulnerable to infection. After being infected, the virus will download the corresponding module to continue spreading and wait for instructions.

However, the botnet is still in its early stages and is still under development. The developed functions include multi-architecture support and support for self-destruction to eliminate its own traces.

The infected IoT devices are still used to launch DDoS attacks, but now an additional function is added, that is, distributed crypto mining using IoT devices.

Although the processor performance of the Internet of Things devices is very low and the mining ability is extremely poor, the hackers value the quantity, and mining with enough quantity is still profitable.

So now many IoT botnets have begun to attach mining modules to try to maximize profits, and the IoT devices being mined may affect normal use.

The most important thing for users is still to regularly check the device firmware update and modify the default password, otherwise, easily infected devices such as routers may become IoT chickens.

Via: netlab