New Botnet Recruits IoT Devices Across the Globe

In the middle of October, Сheck Point experts discovered a new botnet made up of various IoT devices. Originally, the size of the botnet, which has been dubbed Reaper, was estimated at about 1 mln devices. However, after thoroughly analyzing it, researchers from Arbor Networks established that the botnet actually includes about 10-20 thousand infected devices and their number can grow significantly: another 2 mln devices were identified by the threat actors’ scanners as potential bots that have not as yet been included in the botnet.

To gain control of devices and extend its infrastructure, the new botnet uses exploits for vulnerabilities in IoT devices by D-Link, Netgear, Linksys, AVTech, Vacron, JAWS, GoAhead and other vendors. Infected devices include wireless IP cameras, routers, Wi-Fi access points, video surveillance systems, network drives and Linux servers. Some vendors have already released security updates, but these patches have not been installed by all users, leaving many devices under threat.

Although so far the botnet has not demonstrated any destructive activity (such as sending spam or carrying out DDoS attacks), it is dangerous potential is much higher than that of last year’s Mirai. The botnet is capable of conducting SYN, ACK and HTTP flood attacks, as well as DNS reflection and amplification and other types of DDoS attacks.

Researchers from Qihoo 360 Netlab have established that part of the Mirai source code has been used in developing malware for the Reaper botnet. However, unlike Mirai the new botnet is evolving and infecting new IoT devices at a much higher rate. Importantly, it uses a less aggressive scanning method, enabling the botnet to stay under the radar.

Available data indicates that the new malware has affected vulnerable devices across the globe. The largest number of devices infected by Reaper has been traced to China, Italy and Singapore.

According to Kaspersky Lab ICS CERT experts, devices infected by the new malware may include those used at industrial enterprises, hospitals, railway terminals, airports, etc. The high-risk group includes primarily organizations that use IP surveillance systems. And, although the new botnet does not affect industrial automation systems, its possible attacks could have grave consequences.

To secure your company’s devices against Reaper infections, we recommend:

• checking whether the company uses any equipment from the vulnerable device list;
  • Dlink 850L, DIR-600, DIR-800 routers;
  • WIFICAM wireless IP cameras
  • JAWS CCTV cameras;
  • Netgear DGN1000, DGN2200 routers and ReadyNAS network-attached storage devices;
  • Vacron network videorecorders;
  • Linksys E1500/E2500 routers;
  • AVTECH IP cameras and videorecorders.
• installing all the relevant patches on vulnerable devices;
• making sure that vulnerable devices are not used on the industrial network;
• Isolating the ICS network from the video surveillance network.

The detection of a new IoT botnet is one more proof of the importance of the Internet of Things security issue. Given the swift evolution of the Industrial Internet of Things (IIoT), it stands to reason that botnets built on industrial control system devices may be just around the corner.

Sources: Cheсk Point, Arbor Networks, Qihoo 360 Netlab