Around this time last year, some of Internet’s most popular websites were down for the majority of the day, and the culprit was Mirai, a botnet that was comprised of IoT (Internet of Things) devices. It carried out massive DDoS attacks, and that caused wide Internet outages. And now, a new threat has emerged, and it seems to be much more powerful compared to Mirai. The new malware is known as IoT Reaper, Reaper or IoTroop, and it is taking over unpatched devices at an alarming speed, creating a gigantic IoT botnet.
Key differences between Reaper and Mirai
Researchers investigating Reaper have noticed that it seems to have borrowed the code from Mirai, but the two threats are very different. For one, Mirai cracked weak usernames and passwords in order to get into an IoT device. Reaper, on the other hand, takes advantage of vulnerabilities in IoT systems to gain control over them. It has been noted that Reaper primarily includes exploits for nine known vulnerabilities in devices from Dlink, Netgear, Linksys, Goahead, JAWS, AVTECH and Vacron. However, exploits are added regularly.
Internet security company Qihoo 360 also notes that Reaper can stay under the radar because of its non-aggressive scan behavior, which is different from Mirai.
Reaper is still in early stages of expansion
Reaper is expanding every day which is rather worrying because it is quite large even now. With 10,000 new devices every day, it is speculated that the malware has infected more than two million devices already.
“IoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the most recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than 10k per day. While at the same time, there are millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet,” Qihoo 360 researchers explain in a blog post.
The company also provides measurements on the scale of the infection:
- Number of vulnerable devices in one c2 queue waiting to be infected : over 2m;
- Infected bots controlled by one c2 in last 7 days: over 20k ;
- Number of daily active bots controlled by one c2 : around 10k for yesterday(October 19) ;
- Number of simultaneous on-line bots controlled by one c2 : around 4k
Reaper has not carried out any attacks so far but it is most likely only a matter of time, and with a bot of this size, it can do a lot of damage. In the mean time, there is something you can do to protect your IoT devices from being taken over by Reaper. Update them. Not patching up software seems to be a fairly big problem for not only organizations but individual users as well. And it can have extremely serious outcomes, therefore, apply all available updates to all your devices immediately.