Reaper Botnet is Huge

Since the middle of September, researchers have been watching an Internet of Things Botnet grow by nearly 10,000 infections per day. The botnet has been codenamed IoT_reaper. The current size of Reaper is estimated to be over 2 million infections. Much has been published over the years about how vulnerable IoT devices are. We are now beginning to see the practical implications of all the warnings made by experts.

According to researchers at Netlab the botnet is mainly made up of IP-based security cameras, network video recorders (NVRs), and digital video recorders (DVRs). The botnet uses some code from the Mirai IoT malware, but there are also many new things that make the botnet a standalone threat in its own right. One of the major differences between the Reaper and Mirai is its propagation method. Mirai was dependant on scanning for open Telnet ports and attempted to log in using a preset list of default or weak credentials. Reaper primarily uses exploits to forcibly take over unpatched devices and add them to its command and control (C&C) infrastructure.

Reaper also differs from Mirai in several important ways including that it uses exploits to take over devices. Other ways Reaper differs is that it is Lua execution environment integrated. This enables Reaper to perform more complex attacks. Reaper’s scan behavior is also not very aggressive helping keep it under the radar, making it harder to detect.

Netlab has confirmed that Reaper is currently using an exploit package that contains 9 vulnerabilities, namely: D-Link 1, D-Link 2, Netgear 1, Netgear 2, Linksys, GoAhead, JAWS, Vacron, and AVTECH. Israeli based security firm Check Point has also discovered the botnet attacking MicroTik adn TP-Link routers, Synology NAS devices, and Linux servers.

Researchers at Netlab believe that Reaper is essentially in its infancy. It is believed that it is still in development with its operator busy adding as many devices to the fold as possible. The operator’s actions suggest this in that exploits are added regularly, while the C&C infrastructure expands to accommodate new bots. Since September 13, Netlab has seen a number of infected devices raise steadily, with over 2 million devices being infected by the end of last week. It was also observed that only one of the C&C servers was controlling over 10,000 bots.

reaper botnet is hudge

Although Reaper is capable of conducting DDoS attacks based on its use of Lua execution environment no actual attack has been noticed. The only instructions as of last week are to download samples. Further proving that the operator is still developing Reaper. It is important to note that Reaper's Lua core also comes embedded with 100 DNS open resolvers, a functionality that will allow it to carry out DNS amplification attacks

One year anniversary of the Dyn DDoS attack

In an eerie twist of fate, the discovery of Reaper occurred nearly a year after the first Mirai attack was seen. To further feed Halloween hysteria the emergence of Reaper occurs a year after the Dyn DDoS incident which saw a large portion of the Internet across North America and Europe brought down.

The victim of largest Mirai attack was Dyn, a company that controls much of the internet’s domain name system (DNS) infrastructure. It was hit on October 21, 2016, and remained under sustained assault for most of the day, bringing down sites including Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the US. Like with almost all DDoS attacks, a botnet bombards servers with traffic until it collapses under the strain. Mirai represented a shift in focus for DDoS attacks in that it utilized IoT devices to increase a number of infected devices used to carry out the attack. It was estimated that Mirai in the Dyn incident utilized over 100,000 malicious endpoints to crash Dyn servers. This meant that the operators of Mirai managed to carry out a DDoS attack almost twice the size as what had previously been seen.

While Reaper uses Mirai code it seems only time will tell if Reaper leaves such a mark on the cybersecurity landscape or whether it has been detected early enough for vulnerabilities to be patched.

Dangers of leaving IoT devices exposed

Last week both the FBI and Europol released press statements listing the dangers of leaving IoT devices exposed online. In the FBI release it suggested how consumers can protect themselves against being exploited. These measures include:

  • Change default usernames and passwords. Many default passwords are collected and posted on the Internet. Do not use common words and simple phrases or passwords containing easily obtainable personal information. If the device does not allow the capability to change the access password, ensure the device providing wireless Internet service has a strong password and encryption.
  • Isolate IoT devices on their own protected networks.
  • Configure network firewalls to block traffic from unauthorized IP addresses and disable port forwarding.
  • Review and implement device manufacturer security recommendations, if available. Consider turning devices off when not in use.
  • Research your options when shopping for new IoT devices. When conducting research, use reputable Web sites that specialize in cybersecurity analysis, provide reviews on consumer products, and support consumer advocacy.
  • Look for products from manufacturers with a track record of providing security to their Internet-connected products. Look for companies that offer firmware and software updates, and identify how and when these updates are provided.
  • Identify what data is collected and stored by the devices, including whether you can opt out of this collection, how long the data is stored, whether it is encrypted in storage, and if the data is shared with a third party. Also, identify what protections and policies are in place in case there is a data breach.
  • Ensure all IoT devices are up to date and security patches are incorporated when available.
  • Use current cybersecurity best practices when connecting IoT devices to wireless networks and when connecting remotely to an IoT device.
  • Invest in a secure router with robust security and authentication.

By 2020 is expected that there may be 20 billion devices expected to be connected to the internet, meaning that the Internet of Things is here to stay. It will ultimately change how we use the internet. By adopting “best practices” now we may avoid some miserable consequences in future.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal