HEH P2P Botnet Sports Dangerous Wiper Function

2020-10-08 17:27

In the case of HEH, the P2P module itself includes three components, starting with one that pings for all other nodes in the botnet at 0.1-second intervals and waits for a pong back; and one that updates the node with the latest peer addresses.

For the former, "The UDP service port of HEH botnet is not fixed, nor is it randomly generated, but is calculated based on [the] peer's own public network IP," explained the firm.

"Each time HEH bot receives a new peer's IP address, it will calculate the peer's UDP port according to the algorithm, and pack this information into its peer list."

"The bot does maintain a peer list internally, and there is ongoing PingPong communication between peers, but the entire botnet still is considered centralized, as currently the bot node cannot send control commands."

The Bot Cmd list supported by HEH bot includes commands for restarting or exiting; executing shell commands; updating the peer list; updating the malware itself; and, crucially, something called "SelfDestruct," which is the wiper function.

News URL

https://threatpost.com/heh-p2p-botnet-wiper-function/159974/

#botnet #P2P