Over the past week, security research teams have walked back claims of what they thought was one of the largest botnets of infected devices on the internet today.
The botnet, dubbed “Reaper” by researchers at Netlab 360, had ensnared vulnerable internet-connected webcams, security cameras, and digital video recorders (DVRs) over the past few weeks.
Reaper quietly targets and exploits known vulnerabilities in devices and injects its malicious code, effectively hijacking the device for whenever the botnet controller is ready to issue their commands, said security firm Check Point, which also published research. Each time a device is infected, the device spreads the malware to other vulnerable devices — like a worm.
Netlab said at the time of publishing their research that the botnet is exploiting nine known vulnerabilities in D-Link, Netgear, and AVTech products, as well as other device makers. Mirai, by comparison, would aggressively infect each device by running a list of known usernames and passwords against the device.
By targeting a known vulnerability, the botnet can swiftly take control of a device without raising any alarms.
Both research teams initially put the botnet’s size at over a million infected devices. But new evidence shows that the figure is far less than that, and additional research suggests that the botnet, if launched, could be easier to stop than Mirai.
Netlab said in an update on Wednesday that the number of bots connected to one controller stands at about 28,000 infected devices. The number of vulnerable devices, however, could reach as far as two million.
The researchers said it was likely that the botnet’s malware-infecting capacity — known as the “loader” — isn’t as strong as it thought, or that the botnet’s command and control infrastructure is struggling to hold up and needs extra capacity.
Arbor Networks corroborated those figures a day later in its own write-up, noting that the two million devices have “not been subsumed into the botnet,” but that this could “change at any time.”
In the case of botnets, size matters. The larger the botnet, the more damage it can do. It was Mirai that caused a massive distributed denial-of-service (DDoS) attack last October, knocking popular websites off the internet for millions of users. McAfee said 2.5 million infected devices were under Mirai’s control at its peak. The collective bandwidth from the huge number of “zombie devices” that were infected and enslaved was directed at Dyn, an internet infrastructure company, which overloaded the company’s systems and prevented millions from accessing popular websites.
As the botnet continues to grow, so does its potential for harm.
New exploits have been added to the botnet’s arsenal regularly in recent days, said Netlab. Check Point said 33 devices are vulnerable to attack so far. Researchers have also noted that several known, easy-to-exploit flaws have not been added to the botnet, raising questions about why some exploits have been added and not others.
There are still plenty of unanswered questions about Reaper — not least that nobody seems to know for sure what the botnet is for. And if there’s an attack planned, what is the target?
Arbor’s research points to what most botnets are used for — launching wide-scale DDoS attacks.
“Our current assessment of Reaper is that it is likely intended for use as a booter/stresser service primarily serving the intra-China DDoS-for-hire market,” said Arbor. But so far, there haven’t been any signs of DDoS attacks yet, said Ken Munro, a consultant at British security firm Pen Test Partners.
A breakdown of the Reaper botnet shows that the loader used to infect vulnerable devices may have more firepower in its arsenal than a traditional DDoS-for-hire botnet. While the Mirai botnet was a point-and-shoot botnet that could be used to hose systems with vast amounts of bandwidth, Reaper can be used to run complex attack scripts on infected devices. The code contains an integrated Lua execution environment, allowing the botnet owner to remotely execute code on each device, said Alan Woodward, a professor at the University of Surrey. But because each device has such little individual computational power, the code running on each device would have to be harnessed collectively for a larger, coordinated computing task, he said.
That could be anything from a DDoS on an internet target, to a much larger kind of attack.
“The aggregation of large numbers of the same Internet of Things (IoT) device leads to systemic issues,” said Munro.
“When it’s one device affecting one home, it’s irritating for the consumer, but when it’s a million devices, deeper problems arise,” he added.
“For example, any IoT device that switches a lot of electrical power gives rise to potential to affect the electricity grid,” he said. “Whether it’s a smart kettle, a smart thermostat switching your air conditioning or solar panels — all switch power,” he said. “Trigger a million devices that switch 3kW concurrently, and the power grid fails.”
What happens next is anybody’s guess. As more resources are put on Reaper to find out what its potential is, already researchers have found that attacks from the botnet could be easily mitigated.
Because the botnet relies on a fixed domain and IP address to its command and control server, that makes any attack easier to block at the internet server provider level.
“The threat does exist from the hundreds of thousands of devices that are not protected in any way by a firewall or gateway,” said Geenens. “There is unfortunately not much that can be done to protect those devices and prevent them from joining the army of Reaper-bots. That said, blackholing the servers at ISP level will render those devices useless zombies until rebooted and cleaned from any infection.”
There isn’t much that consumers or device owners can do for now, except patch any affected devices they may own and carry out a factory reset.
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.