Story image

Reaper IoT botnet small but still dangerous, security experts warn

30 Oct 2017

Check Point, Arbor Networks’ Security Engineering & Response Team (ASERT) and researchers from Qihoo 360 Netlab Blog have raised the alarm about a suspected botnet

Dubbed IoTroop by Check Point and Reaper IoT by ASERT, the botnet has affected organisations around the globe.

However Check Point’s figures may be incorrect. According to ASERT’s findings, the Reaper botnet has between 10,000 to 20,000 bots in total, but that number fluctuates. The botnet has also been scanning millions of potential victims for its network, however many of those victims’ nodes have not been compromised.

“At this time, it is not clear why these candidate bots have not been co-opted into the botnet. Possible explanations include: misidentification due to flaws in the scanning code, scalability/performance issues in the Reaper code injection infrastructure, or a deliberate decision by the Reaper botmasters to throttle back the propagation mechanism,” ASERT researchers say.

360 Netlab researchers also note that the number of unique active IP addresses in the botnet is more than 10,000 per day – and it is still in the early stages of growth.

While Reaper is capable of launching SYN-floods, ACK-floods, http floods, and DNS reflection/amplification attacks, it is likely to have other, yet-to-be-determined DDoS attack capabilities, as well,” ASERT continues.

ASERT says that Reaper is probably serving the DDoS-as-a-Service market in China, and appears to come from the Chinese criminal underground.

The malware creator has also mimicked code from the notorious Mirai botnet, but it is not the same. It is unable to crack passwords and instead goes after vulnerabilities in IoT devices; and its scan behaviour is rather mild to avoid detection, Netlab researchers explain.

Netlabs supports Check Point’s classification of affected devices, which include D-Link, TP-Link, Linksys, NETGEAR, AVTECH, MikroTik, Synology and GoAhead. In addition, Vacron, other DVRs have also been added to the list.

“In the last 10 days, the attacker has continuously added more new exploits into samples, one of which is adopted only 2 days after the disclosure of the vulnerability was made,” Netlabs researchers say.

They also note that while DDoS support has been encoded in the malware, there is no evidence of a DDoS attack so far.

“The only instructions we saw are to download samples. This means the attacker is still focusing on spreading the botnets,” they explain.

Check Point researchers warned that ‘the next cyber hurricane’ is about to arrive.

“It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes.”

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.