The Reaper IoT botnet is nowhere near as threatening as previously suggested, according to new research.
Check Point Software Technologies warned last week that a new IoT botnet might have already infected “an estimated million organisations”.
Boffins at Arbor Networks, however, estimate that the actual size of the Reaper botnet tends to fluctuate between 10,000-20,000 bots, but warn that this number could change at any time.
An additional 2 million hosts have been identified by the botnet scanners as potential Reaper nodes, but these have not been subsumed into the zombie network for reasons unclear.
Possible explanations include misidentification due to flaws in the scanning code, scalability/performance issues in the Reaper code injection infrastructure, or a deliberate decision by the botmasters to throttle the propagation mechanism.
Do fear the Reaper: Huge army of webcams, routers raised from ‘one million’ hacked orgs
Arbor researchers reckon Reaper is likely intended for use as a booter/stresser service primarily serving the “intra-China DDoS-for-hire market”.
The malware was first spotted in September by Qihoo 360 Netlab. In the weeks since, the botnet agent has been developed and refined to exploit vulnerabilities in wireless IP-based cameras, routers, storage boxes and Wi-Fi points from vendors including D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, and Synology.
In a statement received by The Register late on Thursday, Netgear urged customers to update the software on their devices.
Numbers aren’t everything. It’s estimated that only around 100,000 infected IoT devices serving as part of the Mirai botnet were needed to take out DNS provider Dyn and render many high-profile sites inaccessible as a result of the October 2016 attack. Arbor’s research does, however, suggest that the Reaper IoT botnet is less of a threat than initially believed. ®