Reaper IoT botnet small but still dangerous, security experts warn
Check Point, Arbor Networks' Security Engineering - Response Team (ASERT) and researchers from Qihoo 360 Netlab Blog have raised the alarm about a suspected botnet
Dubbed IoTroop by Check Point and Reaper IoT by ASERT, the botnet has affected organisations around the globe.
However Check Point's figures may be incorrect. According to ASERT's findings, the Reaper botnet has between 10,000 to 20,000 bots in total, but that number fluctuates. The botnet has also been scanning millions of potential victims for its network, however many of those victims' nodes have not been compromised.
“At this time, it is not clear why these candidate bots have not been co-opted into the botnet. Possible explanations include: misidentification due to flaws in the scanning code, scalability/performance issues in the Reaper code injection infrastructure, or a deliberate decision by the Reaper botmasters to throttle back the propagation mechanism,” ASERT researchers say.
360 Netlab researchers also note that the number of unique active IP addresses in the botnet is more than 10,000 per day – and it is still in the early stages of growth.
While Reaper is capable of launching SYN-floods, ACK-floods, http floods, and DNS reflection/amplification attacks, it is likely to have other, yet-to-be-determined DDoS attack capabilities, as well,” ASERT continues.
ASERT says that Reaper is probably serving the DDoS-as-a-Service market in China, and appears to come from the Chinese criminal underground.
The malware creator has also mimicked code from the notorious Mirai botnet, but it is not the same. It is unable to crack passwords and instead goes after vulnerabilities in IoT devices; and its scan behaviour is rather mild to avoid detection, Netlab researchers explain.
Netlabs supports Check Point's classification of affected devices, which include D-Link, TP-Link, Linksys, NETGEAR, AVTECH, MikroTik, Synology and GoAhead. In addition, Vacron, other DVRs have also been added to the list.
“In the last 10 days, the attacker has continuously added more new exploits into samples, one of which is adopted only 2 days after the disclosure of the vulnerability was made,” Netlabs researchers say.
They also note that while DDoS support has been encoded in the malware, there is no evidence of a DDoS attack so far.
“The only instructions we saw are to download samples. This means the attacker is still focusing on spreading the botnets,” they explain.
Check Point researchers warned that ‘the next cyber hurricane' is about to arrive.
“It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes.