Specialists from the Netlab division of the Chinese tech giant Qihoo 360 spoke about a new botnet capable of erasing all data from an infected device, be it a router, server or IoT gadget.
The botnet, dubbed HEH, spreads via brute-force attacks to any Internet-connected device with open SSH ports (23 and 2323). If the device uses factory or untrusted credentials, the botnet gains access to the system and immediately downloads one of the seven binaries that install the HEH malware. The botnet can infect any device with unsecured SSH ports, but the HEH malware only works on * NIX systems.
The malware does not have any offensive features like launching DDoS attacks, installing cryptocurrency miners or proxies to redirect traffic. One of its two functions is to detect infected devices and force them to perform brute force attacks on SSH in order to expand the botnet. The second function is to run shell commands on the infected device. A variant of the second function is to execute a list of predefined shell operations that erase all data from the device.
Since the botnet is relatively new, researchers still find it difficult to say whether the operation to delete data is intended, or is it just an unsuccessful attempt by the HEH developers to implement a self-destruct function. Be that as it may, regardless of the original intentions of the developers, this function can be very destructive and turn hundreds, if not thousands of devices into a useless "brick". So far, this botnet feature has not been used.