Story image

Reaper IoT botnet small but still dangerous, security experts warn

30 Oct 2017

Check Point, Arbor Networks’ Security Engineering & Response Team (ASERT) and researchers from Qihoo 360 Netlab Blog have raised the alarm about a suspected botnet

Dubbed IoTroop by Check Point and Reaper IoT by ASERT, the botnet has affected organisations around the globe.

However Check Point’s figures may be incorrect. According to ASERT’s findings, the Reaper botnet has between 10,000 to 20,000 bots in total, but that number fluctuates. The botnet has also been scanning millions of potential victims for its network, however many of those victims’ nodes have not been compromised.

“At this time, it is not clear why these candidate bots have not been co-opted into the botnet. Possible explanations include: misidentification due to flaws in the scanning code, scalability/performance issues in the Reaper code injection infrastructure, or a deliberate decision by the Reaper botmasters to throttle back the propagation mechanism,” ASERT researchers say.

360 Netlab researchers also note that the number of unique active IP addresses in the botnet is more than 10,000 per day – and it is still in the early stages of growth.

While Reaper is capable of launching SYN-floods, ACK-floods, http floods, and DNS reflection/amplification attacks, it is likely to have other, yet-to-be-determined DDoS attack capabilities, as well,” ASERT continues.

ASERT says that Reaper is probably serving the DDoS-as-a-Service market in China, and appears to come from the Chinese criminal underground.

The malware creator has also mimicked code from the notorious Mirai botnet, but it is not the same. It is unable to crack passwords and instead goes after vulnerabilities in IoT devices; and its scan behaviour is rather mild to avoid detection, Netlab researchers explain.

Netlabs supports Check Point’s classification of affected devices, which include D-Link, TP-Link, Linksys, NETGEAR, AVTECH, MikroTik, Synology and GoAhead. In addition, Vacron, other DVRs have also been added to the list.

“In the last 10 days, the attacker has continuously added more new exploits into samples, one of which is adopted only 2 days after the disclosure of the vulnerability was made,” Netlabs researchers say.

They also note that while DDoS support has been encoded in the malware, there is no evidence of a DDoS attack so far.

“The only instructions we saw are to download samples. This means the attacker is still focusing on spreading the botnets,” they explain.

Check Point researchers warned that ‘the next cyber hurricane’ is about to arrive.

“It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes.”

Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."
D-Link hooks up with Alexa and Assistant with new smart camera
The new camera is designed for outdoor use within a wireless smart home network.
Slack users urged to update to prevent security vulnerability
Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately.
Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."