By: Ravie Lakshmanan
Cybersecurity researchers have taken the wraps off a new botnet hijacking Internet-connected smart devices in the wild to perform nefarious tasks, mostly DDoS attacks, and illicit cryptocurrency coin mining.
Discovered by Qihoo 360’s Netlab security team, the HEH Botnet — written in Go language and armed with a proprietary peer-to-peer (P2P) protocol, spreads via a brute-force attack of the Telnet service on ports 23/2323 and can execute arbitrary shell commands.
The researchers said the HEH botnet samples discovered so far support a wide variety of CPU architectures, including x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III), and PowerPC (PPC).
The botnet, despite being in its early stages of development, comes with three functional modules: a propagation module, a local HTTP service module, and a P2P module.
Initially downloaded and executed by a malicious Shell script named “wpqnbw.txt,” the HEH sample then uses the Shell script to download rogue programs for all different CPU architectures from a website (“pomf.cat”), before eventually terminating a number of service processes based on their port numbers.
The second phase commences with the HEH sample starting an HTTP server that displays the Universal Declaration of Human Rights in eight different languages and subsequently initializing a P2P module that keeps track of the infected peers and allows the attacker to run arbitrary shell commands, including the ability to wipe all data from the compromised device by triggering a self-destruct command.
Other commands make it possible to restart a bot, update the list of peers, and exit the current running bot, although an “Attack” command is yet to be implemented by the botnet authors.
“After the Bot runs the P2P module, it will execute the brute-force task against the Telnet service for the two ports 23 and 2323 in a parallel manner, and then complete its own propagation,” the researchers said.
In other words, if the Telnet service is opened on port 23 or 2323, it attempts a brute-force attack using a password dictionary consisting of 171 usernames and 504 passwords. On a successful break-in, the newly infected victim is added to the botnet, thereby amplifying it.
“The operating mechanism of this botnet is not yet mature, [and] some important functions such as the attack module have not yet been implemented,” the researchers concluded.
“With that being said, the new and developing P2P structure, the multiple CPU architecture support, the embedded self-destruction feature, all make this botnet potentially dangerous.”