Reaper Botnet: More Than 2 Million Internet Of Things Devices Compromised

For more than one month, threat actors have been building a new botnet made up of compromised Internet of Things devices. Researchers believe nearly two million devices have already been infected and the botnet is still growing.

Known as IoT_reaper or Reaper, the massive collection of compromised internet-connected devices consists primarily of security cameras, network video recorders (NVRs) and digital video recorders (DVRs).

According to researchers at Chinese security firm Qihoo 360 Netlab and Israeli security firm Check Point, the botnet has seen significant growth over the last month and shares some similarities with Mirai, a previous botnet that was used to launch massive denial of service attacks against a number of targets.

Like most botnets, Reaper consists of internet-connected devices that have been infected with a common type of malware. While most victims have no idea their device is infected, the attacker can use the compromised machines and their combined computing power to complete coordinated tasks.

Where Reaper splits from Mirai and other botnets before it is in its propagation method. While Mirai scanned the web for open ports that would allow an attacker to remotely gain access to a device—generally through weak or default login credentials—Reaper searches for unpatched devices that it can easily exploit.

The botnet uses a collection of nine known vulnerabilities that target internet routers including the D-Link 1, D-Link 2, Netgear 1, Netgear 2, Linksys, GoAhead, JAWS, Vacron and AVTECH models. Researchers also spotted the botnet launching attacks against the MicroTik and TP-Link routers, Synology devices, and Linux servers.

When the botnet is able to successfully exploit one of the vulnerabilities, to compromises devices on the network with malware. Once infected, the device communicates and can be controlled from the attacker’s command and control server.

Thus far, the researchers believe Reaper is still in the early stages and whoever is behind the massive collection of compromised devices is just amassing as large of a network as possible. The attacker has added new exploits in attempts to expand the reach of the botnet and infect more devices.

According to researchers, Reaper has not been used to launch any sort of an attack thus far, but is capable of doing so. The malware that has helped comprise the botnet includes an execution environment that would allow the operator to launch a number of attacks including a denial of service attack.

Looming in the background of the mind of security experts as Reaper builds is the fact the Mirai botnet was used to launch an attack that disrupted large swaths of the internet and internet-based services for millions of people around the same time last year.

A massive denial of service attack using Mirai was launched October 2016, when the botnet was used to target Domain Name System (DNS) provider Dyn. The attack caused major internet outages for a number of web-based sites and services, including Twitter, Netflix, Spotify, Amazon, communications platform Slack, and the New York Times.