New IoT Botnet Finds Open Telnet Ports and Brute-Forces Entry and Installation

Security researchers have found a new botnet that’s brute-forcing its way onto devices through opened Telnet ports and named it HEH. Its makers wrote in GO, and the malware covers a wide array of possible architectures, allowing it to compromise numerous IoT devices.

The number of botnets has increased in direct proportion to the explosion of the IoT market. Numerous botnets are already active, including many that use the same principles to spread and infect devices. The appearance of yet another one, written from scratch, is proof there’s still plenty of room for more malware.

A key reason why new malware keeps popping up is that security researchers often find existing botnets, revealing their modus operandi and location. When these botnets are exposed, security solutions, ISPs, and other institutions have an easier time shutting them down.

The 360Netlab researchers found that the HEH botnet supports a vast array of CPU architectures x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III) and PPC, which only means that is developers made sure it can infect most any device with the Telnet port open.

“After the Bot runs the P2P module, it will execute the brute force task against the Telnet service for the two ports 23 and 2323 in a parallel manner, and then complete its own propagation,” say the researchers.

Of course, when it does find a Telnet port, it will begin its brute-force attacks using 171 usernames and 504 passwords. While the researchers didn’t share the credentials, for security reasons, it’s easy to surmise that those credentials are a combination of default user names and passwords and some of the most common that people use in their daily lives.

HEH is far from complete, which means that attackers are still fine-tuning it.

“Some important functions such as attack module have not yet been implemented. Also the P2P implementation still has flaws,” the researchers also point out.