Last week we looked at reports from China and Israel about a new “Internet of Things” malware strain called “Reaper” that researchers said infected more than a million organizations by targeting newfound security weaknesses in countless Internet routers, security cameras and digital video recorders (DVRs). Now some botnet experts are calling on people to stop the “Reaper Madness,” saying the actual number of IoT devices infected with Reaper right now is much smaller.
Arbor Networks said it believes the size of the Reaper botnet currently fluctuates between 10,000 and 20,000 bots total. Arbor notes that this can change any time.
Reaper was based in part on “Mirai,” IoT malware code designed to knock Web sites offline in high-powered data floods, and an IoT malware strain that powered most of the largest cyberattacks of the past year. So it’s worrisome to think someone may have just built an army of a million IoT drones that could be used in crippling, coordinated assaults capable of wiping most networks offline.
If criminals haven’t yet built a million-strong botnet using the current pool of vulnerable devices, they certainly have the capacity to do so.
“An additional 2 million hosts have been identified by the botnet scanners as potential Reaper nodes, but have not been subsumed into the botnet,” Arbor’s ASERT team wrote, explaining that the coders may have intentionally slowed the how quickly the malware can spread to keep it quiet and under the radar.
Arbor says Reaper is likely being built to serve as the machine powering a giant attack-for-hire service known as a “booter” or “stresser” service.
“Our current assessment of Reaper is that it is likely intended for use as a booter/stresser service primarily serving the intra-China DDoS-for-hire market,” Arbor wrote. “Reaper appears to be a product of the Chinese criminal underground; some of the general Reaper code is based on the Mirai IoT malware, but it is not an outright Mirai clone.”
On Thursday I asked Israeli cybersecurity firm Check Point — the source of the one-million Reaper clones claim — about how they came up with the number of a million infected organizations.
Check Point said it knows of over 30,000 infected devices that scanned for additional vulnerable devices.
“We had a prism into these attacks from a data set that only contains a few hundreds of networks, out of which 60% were being scanned,” said Maya Horowitz, a group manager in the threat intelligence division of Check Point. “Thus we assume that the numbers globally are much higher, in at least 1 order of magnitude.”
Reaper borrows programming code from Mirai. But unlike Mirai, which infects systems after trying dozens of factory-default username and password combinations, Reaper targets nine security holes across a range of consumer and commercial products. About half of those vulnerabilities were discovered only in the past few months, and so a great many devices likely remain unpatched against Reaper.
Chinese cybersecurity firm Netlab 360, which published its own alert on Reaper shortly after Check Point’s advisory, issued a revised post on Oct. 25 stating that the largest gathering of Reaper systems it has seen by a single malware server is 28,000. Netlab’s original blog post has links to patches for the nine security flaws exploited by Reaper.