Reaper Botnet Has Come for the Internet

Written by

A brand-new, and massive, internet of things (IoT) botnet is poised to bring down the internet. Maybe. Probably.

According to Check Point’s research team, this new baddie, ominously dubbed “Reaper,” is recruiting IoT devices such as IP wireless cameras and DVRs at a far faster rate than the Mirai botnet did in 2016—and it already is estimated to have infected multiple devices in more than a million organizations globally.

The analysts don’t know the intentions of the threat actors behind it, but “with previous botnet DDoS attacks causing widespread, large-scale disruption, it’s likely that an attack is being prepared,” they said.

Any DDoS attack could be far more devastating than the attack on Dyn last year—the anniversary of which is coming up. In that attack, large portions of the internet were knocked offline. A move from Reaper on the other hand could threaten the public IP infrastructure en toto.

"The end of the world may not be nigh but the internet appears to be at severe risk of compromise,” said Lee Munson, security researcher at, via email. “As information security experts have been warning forever, it seems, a number of internet-connected fridges, kettles and lightbulbs, along with the ever-vulnerable batch of routers and cameras, have all been marked for takeover by a new botnet. That this should be devastating if it comes to pass is hardly a surprise, given how many manufacturers of IoT devices care little for security before selling their shiny new products.”

Any DDoS attack would be “the likes of which have not been seen before,” he said.

But wait, there’s more: It also appears that Reaper is still merely a baby botnet. It continues to grow in the shadows, without carrying out—as yet—any attacks. Its authors instead seem consumed with adding as many devices to its ouvre as possible.

After first being picked up via Check Point’s global Intrusion Prevention System (IPS) in the last few days of September, activity has snowballed, with the malware evolving “on a daily basis” to exploit vulnerabilities in additional devices from vendors including GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others, the researchers said.

For its part, Synology said that it issued an update that addresses the vulnerability in question (CVE-2013-6955) back in 2014, publishing a security advisory addressing the flaw and outlining steps to update the system. All customers should update their Synology NAS devices immediately.

Check Point said in an analysis that it has also become apparent that the attempted attacks were coming from many different sources and a variety of IoT devices, meaning the attack was being spread by the IoT devices themselves—thus gaining the ability to propagate exponentially. In its own analysis, Qihoo 360 Netlab put a finer point on it: It said that it observed, over the course of a single day, more than two million infected devices waiting to be processed in the C&C servers' queue.

As of this week, approximately 60% of the corporate networks that are part of Check Point’s ThreatCloud global network  are infected.

Interestingly, while some technical aspects initially led researchers to suspect a possible connection to Mirai, the botnet behind the Dyn attack, it turns out that this is an entirely new and more sophisticated campaign.

“The biggest difference between the two is that Mirai tried to connect to devices via telnet, utilising default or weak passwords to take control of devices,” said Tristan Liverpool, director of systems engineering at F5 Networks, via email. “In contrast, the Reaper botnet is looking to use exploits on unpatched devices, to take control of them and add it to the command and control (C&C) platform. This means that it can continue to grow and be harnessed for all kinds of criminal activities.”

As for mitigation, a simple password upgrade is not sufficient to protect against the botnet.

“To stop the propagation of this botnet, all companies and consumers should ensure all their devices are running the latest firmware versions, which will have security patches included,” Liverpool said.

In the meantime, “everyone needs to prepare for the worst, as it is still unknown whether the motive of the perpetrators is chaos, financial gain or to target specific states or brands,” he added. “For organizations to protect themselves, they must identify which information is critical and needs to be available anytime, anywhere. In summary, security can be built around these key areas and a contingency plan must be developed.”

Munson added that the IoT ecosystem must be put on notice. “It is vital that manufacturers do their part in securing the devices of tomorrow before they are allowed to destroy or severely disrupt the internet world they will be ultimately be joining,” he said.

What’s hot on Infosecurity Magazine?