After quietly infecting a million devices, Reaper botnet set to be worse than Mirai

Analytics/ Analysis

is on track to become one of the largest botnets recorded in recent years — and yet nobody seems to know what it will do or when. But researchers say the damage could be bigger than last year's cyberattack.

By Zack Whittaker for Zero Day | October 24, 2017 -- 12:46 GMT (05:46 PDT) | 

 

botnet

(Image: file photo)

A little over a month ago, a sizable botnet of infected Internet of Things devices began appearing on the radar of security researchers.

Now, just weeks later, it's on track to become one of the largest botnets recorded in recent years.

The botnet, dubbed "Reaper" by researchers at Netlab 360, is said to have ensnared almost two million internet-connected webcams, security cameras, and digital video recorders (DVRs) in the past month, says Check Point, which also published research, putting its growth at a far faster pace than Mirai.

It was Mirai that caused a massive distributed denial-of-service (DDoS) attack last October, knocking popular websites off the internet for millions of users. The collective bandwidth from the huge number of "zombie devices" that were infected and enslaved was directed at Dyn, an internet infrastructure company, which overloaded the company's systems and prevented millions from accessing popular websites.

Mirai was "beautifully simple," said Ken Munro, a consultant at UK-based security firm Pen Test Partners. The malware would scan the internet and infect connected devices with default usernames and passwords, which either weren't or couldn't be changed by the owner.

Reaper, however, "is what Mirai could easily have been," said Munro. It takes a slightly different, more advanced approach by quietly targeting and exploiting known vulnerabilities in devices and injecting its malicious code, effectively hijacking the device for whenever the botnet controller is ready to issue their commands. Each time a device is infected, the device spreads the malware to other vulnerable devices -- like a worm.

Mirai aggressively ran each device against a list of known usernames and passwords, but Reaper is "not very aggressive," said Netlab.

By targeting a known vulnerability, the botnet can swiftly take control of a device without raising any alarms.

"One of the reasons Mirai didn't achieve its full potential is that the compromise didn't persist beyond a reboot," said Munro. "Hence, multiple botnet herders were competing for control of the compromised DVRs that comprised it, so the huge botnet it could have been was never built," he said.

 

Read More