A freshly discovered botnet dubbed HEH by researchers is casting a wide net, looking to infect any and all devices that use Telnet on ports 23/2323. It’s particularly destructive: It contains code that wipes all data from infected systems.
Perhaps ironically, its operators also have a penchant for civil advocacy – a loading of the Universal Declaration of Human Rights, visible to researchers during analysis, accompanies each infection.
According to a 360Netlab analysis, samples of the bot are being found on a wide range of CPU architectures, including x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III) and PPC – meaning it’s infecting desktops, laptops, mobile and internet-of-things (IoT) devices. It’s looking to brute-force Telnet credentials, and once in, it infects the target with a Go language binary that communicates with other bot nodes using a proprietary peer-to-peer protocol, researchers said.
Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT), noted that the use of Golang is an ongoing trend in malware development.
“Golang has been steadily rising in popularity including among IoT malware authors,” he said via email. “Go offers a strong feature set with the ability to easily produce self-contained executables across most popular architectures. This marks a shift from IoT malware like Mirai which uses C to produce very compact binaries compared to a Go executable.”
From a technical perspective, the botnet, which gets its name from phrasing inside the code samples, contains three functional modules, according to 360Netlab: A propagation module, a local HTTP service module and the P2P module.
Once a device has been successfully brute-forced (its dictionary includes 171 usernames and 504 passwords), a malicious shell script named wpqnbw.txt is executed on the host, according to the analysis. This propagation module is an initial loader, which goes on to download and execute multiple versions of the second-stage binaries – one for each possible device type.
The malicious scripts and binary programs are fetched from a legitimate pomf.cat site, which has been compromised, researchers explained.
“[There are downloads for] every single one of the malicious programs, for all different CPU architectures, there is no environment checking or things like that, [it] just run[s] all the programs in turn,” explained 360Netlab researchers, in a posting this week.
After the correct version of the code for the CPU architecture is determined, the sample is started. It first starts an HTTP server on the local port :80, researchers said – which is where the human-rights angle comes in.
“The initial state of this HTTP server will be set :80/0 to :80/9 a total of 10 URIs,” according to the post. “Correspondingly, the Universal Declaration of Human Rights in eight languages – and two empty contents – are displayed. For example, the :80/0 returns the Chinese version of the Universal Declaration of Human Rights.”
After this, the sample pulls data for the P2P module over the port, which overwrites the declaration. This is where the botnet gets down to business.
In a P2P botnet, each node (a.k.a. “peer”) has the capability to talk to other peers by what’s known as a ping-pong mechanism. Through this, peers share the own command-and-control functions in a distributed way; maintain their own lists of other peers; and can spread other payloads or components to each other.
In the case of HEH, the P2P module itself includes three components, starting with one that pings for all other nodes (peers) in the botnet at 0.1-second intervals (via a UDP service port) and waits for a pong back; and one that updates the node with the latest peer addresses.
On the latter front, this peer update component receives commands every 10 seconds containing new peer addresses; the node will check whether its peer list already contains the peer address information, and if not, adds it to its peer list.
The third component, a UDP service component, does most of the work, researchers explained: It monitors data or instructions sent by other peers, analyzes the instructions and performs corresponding operations.
“This component has two key functions: UDP service port number generation and command parsing,” according to 360Netlab.
For the former, “the UDP service port of HEH botnet is not fixed, nor is it randomly generated, but is calculated based on [the] peer’s own public network IP,” explained the firm. “Each time HEH bot receives a new peer’s IP address, it will calculate the peer’s UDP port according to the algorithm, and pack this information into its peer list.”
Meanwhile, the instructions that the HEH bot can parse come from a command-and-control server (C2), meaning that the botnet isn’t a true P2P architecture – yet.
“The P2P implementation still has flaws,” the researchers said. “The bot does maintain a peer list internally, and there is ongoing Ping<–>Pong communication between peers, but the entire botnet still is considered centralized, as currently the bot node cannot send control commands.”
Commands and Self-Destruction
The commands that peers can parse are divided into two categories: P2P protocol-related functional instructions, which essentially keep the node updated and continuously connected to other peers; and a module responsible for control instructions (“Bot Cmd”).
The Bot Cmd list supported by HEH bot includes commands for restarting or exiting; executing shell commands; updating the peer list; updating the malware itself; and, crucially, something called “SelfDestruct,” which is the wiper function.
SelfDestruct, which is command No. 8, will tell the bot to wipe out everything on all the disks on the host. Wipers like this are usually seen targeting critical infrastructure and nation-state types of targets, which makes this aspect of HEH stand out.
Two other commands, “launch attacks” and “Misc,” are listed but not implemented in the samples analyzed by 360Netlab – potentially meaning that the botnet is still in the development stages. That’s not to say it doesn’t pose a threat.
“The operating mechanism of this botnet is not yet mature,” researchers noted. “With that being said, the new and developing P2P structure, the multiple CPU architecture support, the embedded self-destruction feature, all make this botnet potentially dangerous.”
It’s unclear how many devices make up the botnet, or if the operators have hit the self-destruct button on any of them yet. Threatpost has reached out to 360Netlab for more information.
Users can protect themselves by making sure Telnet ports 23/2323 aren’t open to the public internet, and by ensuring strong passwords on devices.
P2P Botnets on the Rise
P2P architectures are attractive for botnets because they introduce redundancy and decentralization, making them difficult to dismantle. Also, a single communication to a single node is all it takes to propagate a new command or feature, allowing operators more opportunities for stealth when it comes to their control infrastructure.
As such, P2P botnets have been on the rise. For instance, the coin-mining botnet known as DDG for instance adopted a proprietary peer-to-peer (P2P) mechanism in April that has turned the DDG into a highly sophisticated, “seemingly unstoppable” threat, according to researchers.
Meanwhile, in September, news came that the Mozi botnet, a P2P malware known previously for taking over Netgear, D-Link and Huawei routers, has swollen in size to account for 90 percent of observed traffic flowing to and from all IoT devices, according to researchers.
And in October, a new variant of the InterPlanetary Storm P2P botnet emerged, which comes with fresh detection-evasion tactics and now targets Mac and Android devices (in addition to Windows and Linux, which were targeted by previous variants of the malware).
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.