Mirai-Like IoT Botnet ‘Has Already Hacked Millions Of Devices’

One year on from a botnet attack that disrupted a number of high-profile websites in October 2016, security researchers have uncovered another botnet that’s similar to the earlier Mirai in some ways, but is growing much more quickly.

The new network, called IOTroop or Reaper, has already infected devices on more than one million organisations’ networks, according to Israeli security firm Check Point, while Beijing-based Qihoo 360 estimated several million devices are queued to join the network.

Like Mirai, Reaper makes use of connected devices including routers and internet-linked security cameras.

Mirai had infected around 2.5 million devices by the end of 2016, when it was used along with other botnets to attack DNS provider Dyn, generating enough junk traffic to overload the firm’s servers and disable websites including Spotify, Reddit and The New York Times.

IoT hacking

But while Mirai infected devices by scanning for weak or default passwords, Reaper takes a more aggressive approach.

Reaper uses portions of Mirai’s code, indicating a possible link with the developers of the earlier tool, but it includes a number of new features, including the ability to exploit security weaknesses to gain control of a device.

It uses nine attacks found in routers made by D-Link, Netgear and Linksys along with surveillance cameras from Vacron, GoAhead, AVTech and others. While some of the flaws have been patched, in many cases those patches may not have been applied.

Another difference from Mirai is that Reaper programs the devices it infects to infect other devices, further broadening the botnet.

Check Point said about 60 percent of the corporate networks it tracks contained compromised devices.

“So far we estimate over a million organisations have already been affected worldwide, including the US, Australia and everywhere in between, and the number is only increasing,” Check Point said in an advisory.


Qihoo 360 said about 10,000 devices are in active communication with the botnet’s command servers, with millions more awaiting “loader” software to add them to the network.

So far Reaper hasn’t carried out any attacks, but researchers say there are few other uses for a large botnet of connected devices other than directing malicious traffic at a target.

“It is too early to guess the intentions of the threat actors behind it, but with previous botnet DDoS attacks essentially taking down the Internet, it is vital that organisations make proper preparations and defense mechanisms are put in place before an attack strikes,” Check Point said.

Qihoo 360 said the botnet appears to be in the “early stages of expansion”.

In a report timed to coincide with the first anniversary of the Dyn attack, load balancing and computer security firm Radware said it had found that 68 of the top 100 US websites only use one DNS provider, making them vulnerable to disruption.

“Could it happen again? The short answer is: yes,” Radware said in the report.

Researchers advised users of the targeted cameras and routers to install updates and consider performing a factory reset of the device, which would clear any infection.

Do you know all about broadband and the ultra-fast future? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Norway Hit By DDoS Cyber Attacks From Pro Russian Group

Norwegian national security agency warns pro-Russian group has targetted private and public institutions in Norway…

17 hours ago

Google Tells Staff They Can Relocate After Roe v Wade Ending

After US Supreme Court last week removed women's reproduction rights, Google tells staff they can…

18 hours ago

Taiwan Developing Own Digital Currency – Report

Central bank of Taiwan confirms it is still working on its digital currency, but has…

20 hours ago

Tesla Cuts 200 Autopilot Jobs, Closes San Mateo Office – Report

More restructuring at Tesla with hundreds of bob losses and California office closure, where staff…

21 hours ago

US FCC Commissioner Urges Apple, Google To Remove TikTok

Fresh worry for TikTok, after FCC Commissioner writes to Apple and Google about removing the…

22 hours ago

Airbnb Permanently Bans Parties, With Few Exceptions

Victory for irate neighbours? Airbnb confirms its temporary Covid ban on parties in its listings…

22 hours ago