October 27, 2017

Last week we looked at reports from China and Israel about a new “Internet of Things” malware strain called “Reaper” that researchers said infected more than a million organizations by targeting newfound security weaknesses in countless Internet routers, security cameras and digital video recorders (DVRs). Now some botnet experts are calling on people to stop the “Reaper Madness,” saying the actual number of IoT devices infected with Reaper right now is much smaller.

Arbor Networks said it believes the size of the Reaper botnet currently fluctuates between 10,000 and 20,000 bots total. Arbor notes that this can change any time.

Reaper was based in part on “Mirai,” IoT malware code designed to knock Web sites offline in high-powered data floods, and an IoT malware strain that powered most of the largest cyberattacks of the past year. So it’s worrisome to think someone may have just built an army of a million IoT drones that could be used in crippling, coordinated assaults capable of wiping most networks offline.

If criminals haven’t yet built a million-strong botnet using the current pool of vulnerable devices, they certainly have the capacity to do so.

“An additional 2 million hosts have been identified by the botnet scanners as potential Reaper nodes, but have not been subsumed into the botnet,” Arbor’s ASERT team wrote, explaining that the coders may have intentionally slowed the how quickly the malware can spread to keep it quiet and under the radar.

Arbor says Reaper is likely being built to serve as the machine powering a giant attack-for-hire service known as a “booter” or “stresser” service.

“Our current assessment of Reaper is that it is likely intended for use as a booter/stresser service primarily serving the intra-China DDoS-for-hire market,” Arbor wrote. “Reaper appears to be a product of the Chinese criminal underground; some of the general Reaper code is based on the Mirai IoT malware, but it is not an outright Mirai clone.”

On Thursday I asked Israeli cybersecurity firm Check Point — the source of the one-million Reaper clones claim — about how they came up with the number of a million infected organizations.

Check Point said it knows of over 30,000 infected devices that scanned for additional vulnerable devices.

“We had a prism into these attacks from a data set that only contains a few hundreds of networks, out of which 60% were being scanned,” said Maya Horowitz, a group manager in the threat intelligence division of Check Point. “Thus we assume that the numbers globally are much higher, in at least 1 order of magnitude.”

Reaper borrows programming code from Mirai. But unlike Mirai, which infects systems after trying dozens of factory-default username and password combinations, Reaper targets nine security holes across a range of consumer and commercial products. About half of those vulnerabilities were discovered only in the past few months, and so a great many devices likely remain unpatched against Reaper.

Chinese cybersecurity firm Netlab 360, which published its own alert on Reaper shortly after Check Point’s advisory, issued a revised post on Oct. 25 stating that the largest gathering of Reaper systems it has seen by a single malware server is 28,000. Netlab’s original blog post has links to patches for the nine security flaws exploited by Reaper.

18 thoughts on “Fear the Reaper, or Reaper Madness?

  1. Anon

    Very interesting. It is actually even more interesting if the malware was indeed developed by a Chinese or Asian entity.
    A lot of the IoT devices it affects are these cheap, mass produced equipment built in these Asian countries. Something could definitely be fishy here, still, there are no FoxConn sized factories in the US that can produce these devices for these cheap prices, as of yet…

  2. IRS iTunes Card

    The Chinese criminal underground are smoking way to much marijuana.

  3. PhoneRai

    as the author of ‘reaper’ botnet, no im not chinese. lol guess im famous now

  4. Troy Mursch

    Reaper estimates are overblown.

    Here’s the total number of unique IPs I’ve found participating in last 30 days:
    Mirai-like botnet: 9,345
    Reaper botnet: 43

    Check out the latest post by Dr. Neal Krawetz, Pascal Geenens, and/or me for better understanding of Reaper vs. the much larger Mirai-like botnet.

    My summarized Mirai-like botnet data is available here: https://docs.google.com/spreadsheets/d/1pCrNYB_MzWZ2dnvDVCDevVLu6U-KYLp0BGvRrv03jTI/edit#gid=1473676667

    Contact me directly if you’d like more detailed data.

  5. Justintime

    While reaper is scanning for security holes, it’s main avenue is still “admin-admin” the TCP sequence is small and mainly telnet driven.

  6. Darron Wyke

    Damnit, Brian. You got Blue Oyster Cult stuck in my head now.

    Then again, judging by some of the findings, (Don’t) Fear the Reaper is fairly accurate…

    1. KathyB

      I was drawn to the Christopher Walken skit on SNL…more cowbell. 🙂

    2. Steve R

      LOL….Another 40,000 coming everyday, we can be like they are. Come on baby, don’t fear the reaper.

  7. EF

    Where can I get more information on these bot scanners? I’d love to scan my home network and all my IoT’s.

    1. Louise

      CheckPoint has one I checked out, the series 730 / 750 for home office or small business. It is more than enough and comes bundled with IPS: Intrusion Prevention System. It is $595.00 for the appliance (hardware), which comes bundled with ten or so, “blades,” or individual softwares, which cost $100.00 annually to renew . . . Hope that helps!

  8. Donn Edwards

    Has anyone developed a way I can test to see if my router is infected? It has the latest firmware installed but that’s hardly a reliable test 😉

    1. JCitizen

      I may be presumptuous here but as long as the following list is true, you may not have anything to worry about.

      1. Before Mirai you turned off/disable all inbound administrative ability.

      2. ” ” you changed the user ID and password from the factory default. Some routers only have admin as default and it can’t be changed, but may not matter as a user ID only.

      3. Still have a supported firmware and have kept it up to date every time a new version came out.

      4. It helps to have a true firewall and not just a NAT based hardware scheme. True firewalls tend to be expensive.

      5. Having a good software firewall on each PC/device in the network can help too. Online Armor is one of the best.

      6. Immediately upon joining your network with an IoT device, assure the admin is locked down and/or password protected – some of them unfortunately only use code numbers, and even they are sometimes standard factory settings, that the virus will guess in a heart beat, and take it over. Avoid those brands/models at all cost!

      1. ryan

        im pretty sure the article says it targets 9 vulnerability’s rather than trying passwords like mirai did(But unlike Mirai, which infects systems after trying dozens of factory-default username and password combinations, Reaper targets nine security holes across a range of consumer and commercial products.).
        and that theirs millions of devices out their(“An additional 2 million hosts have been identified by the botnet scanners as potential Reaper nodes, but have not been subsumed into the botnet,”) built with at least one of those vulnerability’s detectable via botnet scans

Comments are closed.