The Reaper botnet is expanding more aggressively than Mirai did and has the potential to cause more disruption, researchers say
One year on from a botnet attack that disrupted a number of high-profile websites in October 2016, security researchers have uncovered another botnet that’s similar to the earlier Mirai in some ways, but is growing much more quickly.
The new network, called IOTroop or Reaper, has already infected devices on more than one million organisations’ networks, according to Israeli security firm Check Point, while Beijing-based Qihoo 360 estimated several million devices are queued to join the network.
Like Mirai, Reaper makes use of connected devices including routers and internet-linked security cameras.
Mirai had infected around 2.5 million devices by the end of 2016, when it was used along with other botnets to attack DNS provider Dyn, generating enough junk traffic to overload the firm’s servers and disable websites including Spotify, Reddit and The New York Times.
But while Mirai infected devices by scanning for weak or default passwords, Reaper takes a more aggressive approach.
Reaper uses portions of Mirai’s code, indicating a possible link with the developers of the earlier tool, but it includes a number of new features, including the ability to exploit security weaknesses to gain control of a device.
It uses nine attacks found in routers made by D-Link, Netgear and Linksys along with surveillance cameras from Vacron, GoAhead, AVTech and others. While some of the flaws have been patched, in many cases those patches may not have been applied.
Another difference from Mirai is that Reaper programs the devices it infects to infect other devices, further broadening the botnet.
Check Point said about 60 percent of the corporate networks it tracks contained compromised devices.
“So far we estimate over a million organisations have already been affected worldwide, including the US, Australia and everywhere in between, and the number is only increasing,” Check Point said in an advisory.
Qihoo 360 said about 10,000 devices are in active communication with the botnet’s command servers, with millions more awaiting “loader” software to add them to the network.
So far Reaper hasn’t carried out any attacks, but researchers say there are few other uses for a large botnet of connected devices other than directing malicious traffic at a target.
“It is too early to guess the intentions of the threat actors behind it, but with previous botnet DDoS attacks essentially taking down the Internet, it is vital that organisations make proper preparations and defense mechanisms are put in place before an attack strikes,” Check Point said.
Qihoo 360 said the botnet appears to be in the “early stages of expansion”.
In a report timed to coincide with the first anniversary of the Dyn attack, load balancing and computer security firm Radware said it had found that 68 of the top 100 US websites only use one DNS provider, making them vulnerable to disruption.
“Could it happen again? The short answer is: yes,” Radware said in the report.
Researchers advised users of the targeted cameras and routers to install updates and consider performing a factory reset of the device, which would clear any infection.
Do you know all about broadband and the ultra-fast future? Try our quiz!