Since mid-September, a new IoT botnet has grown to massive proportions. Codenamed IoT_reaper (Reaper for this article), researchers estimate its current size at nearly two million infected devices.
According to researchers, the botnet is mainly made up of IP-based security cameras, network video recorders (NVRs), and digital video recorders (DVRs).
Based on Mirai, but not a Mirai offspring
Researchers from Chinese security firm Qihoo 360 Netlab and Israeli security firm Check Point have spotted and analyzed the botnet as it continued to grow during the past month.
Both companies say the botnet uses some code from the Mirai IoT malware, but there are also many new things that make the botnet a standalone threat in its own right.
The biggest difference between Reaper and Mirai is its propagation method. Mirai scanned for open Telnet ports and attempted to log in using a preset list of default or weak credentials.
Reaper does not rely on a Telnet scanner, but primarily uses exploits to forcibly take over unpatched devices and add them to its command and control (C&C) infrastructure.
Netlab says that Reaper, at the time of writing, primarily uses a package for nine vulnerabilities: D-Link 1, D-Link 2, Netgear 1, Netgear 2, Linksys, GoAhead, JAWS, Vacron, and AVTECH. Check Point also spotted the botnet attacking MicroTik adn TP-Link routers, Synology NAS devices, and Linux servers.
Reaper “baby” botnet is still growing
Netlab experts say the botnet it’s in incipient stages of development, with its operator busy adding as many devices to the fold as possible.
Exploits are added on a regular basis, while the C&C infrastructure expands to accommodate new bots.
Netlab says that it observed over two million infected devices sitting in the botnet’s C&C servers’ queue, waiting to be processed. Just yesterday, only one of the C&C servers was controlling over 10,000 bots.
Tomorrow is the one-year anniversary of the Dyn DDoS attack
The botnet was first spotted on September 13, around one year after experts first found the Mirai IoT malware. Tomorrow will be the one year anniversary of the Dyn DDoS incident, Mirai’s most impactful DDoS attack that brought down a large portion of the Internet across North America and Europe.
Both Check Point and Netlab point out that Reaper did not launch any DDoS attack, as of yet. Nonetheless, Netlab says Reaper comes with a Lua-based execution environment integrated into the malware that allows its operator to deliver modules for various tasks, such as DDoS attacks, traffic proxying, and other.
But Reaper’s Lua core also comes embedded with 100 DNS open resolvers, a functionality that will allow it to carry out DNS amplification attacks with ease.
Only time will tell if this botnet will ever be deployed in live attacks like Mirai, or will be a dud like Hajime.