The HEH virus

A virus has been circulating since last year: it’s called HEH and it can infect practically everything: from routers to IoT devices. This new threat that is spreading on the internet could do enormous damage to millions of devices if it is not dealt with in a short time.


The virus

HEH was discovered by researchers from Netlab, the cyber and network security division of Chinese tech giant Qihoo 360, which made its existence known in a report.

Botnets are a network of zombie computers which, after infection, are used to launch attacks on other computers and infect them in turn; for more details, please read the focus on botnets on our blog.

This botnet is as new as the virus it carries, and almost nothing is known about it except how other computers are attacked: brute force on SSH ports 23 and 2323. 

Brute force attacks consist of bombarding a router (or server) with requests until the right combination of login credentials is found. 

If the device uses standard credentials or weak credentials, the virus can easily enter the system and insert the infected device into the botnet, then using it to carry out other attacks.


How HEH works

According to researchers, HEH would still be a sketchy virus, without truly offensive features such as the ability to launch DDoS attacks, install other viruses to produce cryptocurrencies or route web traffic to attackers’ servers.

The only thing HEH can do at the moment is launch attacks on SSH ports to extend its own reach. It would seem, therefore, that whoever invented it has a two-step strategy: first spread the malware, then activate it.


The Risks of HEH

The worrying thing, however, is that if the attackers manage to force a computer with an SSH attack, they can then do something else, taking advantage of the presence of HEH on the device.

For example, execute commands, among which there is also the one to destroy all partitions of the device.

Netlab claims to have found copies of HEH that can run on x86, ARM, MIPS, and PPC devices.

Everything, in short, from normal home computers to company servers up to IoT devices, i.e. smart devices for home automation, smart speaker included.

What does it all mean? That someone is infecting thousands of devices with a virus, which in turn will infect other devices, in preparation for a very likely future attack.