Fear The Reaper: Botnet Could Be Bigger And Badder Than Mirai

FBI Targets Booter Services

Just in time for Halloween, the Reaper is coming, and he’s after your internet.

Reaper, also known as IOTroop, is a growing botnet whose size, at more than 1 million organizations infected, could soon rival that of the Mirai botnet that knocked much of the U.S. offline last year, along with top websites around the world – Reddit, Netflix, Twitter and Spotify, just to name a few.

Reaper borrows some source code from Mirai, but is stealthier about dodging cybersecurity tools to recruit new devices, according to security expert Brian Krebs.

So far, Reaper lies dormant, but its sheer size and spreading power make it even more threatening than Mirai, with Check Point Research calling it a “cyberhurricane” that could potentially take down the internet. Yeah, the whole internet.

Check Point, which first identified suspicious activity related to the Reaper botnet in late September, said it’s too soon to say what cyberattacks the hackers behind Reaper may intend, but organizations would be wise to shore up their defenses. Already, 60 percent of the networks it monitors have been infected.

Krebs isn’t writing the internet’s eulogy just yet. On his website, he notes that botnets are not always built for the purpose of launching distributed denial of service (DDoS) attacks like the ones that crippled Reddit and the rest.

However, regardless of the threat actor’s intents, individuals and organizations alike would do well to brace for the coming storm – whatever form that storm may take – in hopes of blunting its impact.

What Reaper/IOTroop Does

Botnets are formed when malicious worms carry malware infections to as many devices as possible – automatically, behind the scenes. The worms spread like a virus, with infected devices passing the infection to others in turn.

Once the initiating threat actor has infected a virtual army, all those hijacked IP addresses can be harnessed to flood a single website with more traffic than it can handle, causing it to crash. That’s a distributed denial of service (DDoS) attack, and it’s what Mirai did to Reddit, Twitter and the rest.

The easiest devices to infect are consumer IoT devices with insufficient security in place – webcams, DVRs, smart fridges, thermostats, home security systems (ironic, isn’t it?) and WiFi routers whose owners are using weak or default passwords, or whose passcodes are hard-coded into the machine.

Mirai exploited those weak points. Reaper does worse: Where weak and default passwords are not present, it hacks its way into those devices instead, using at least nine known security vulnerabilities across a dozen different device makers.

As Wired noted, “it’s the difference between checking for open doors and actively picking locks.”

What Consumers And Organizations Should Do

Many of the security flaws being exploited have only been known for a brief time, meaning that many, many devices could be potentially vulnerable without their owners’ knowledge.

Check Point lists affected routers and internet-connected surveillance cameras by GoAhead, D-Link, TP-Link, NETGEAR, AVTECH, MikroTik, Linksys, Synology and Linux. For more details, see their Oct. 19 report.

It is recommended that consumers who own any of the devices on the list run an update, as vendors have released patches, or run a total factory reset on the firmware to wipe the malware from the system.