New Rapid Spreading IoT Botnet Dubbed IoT_Reaper Strikes with Millions of Zombie’s Devices

(Last Updated On: 2nd November 2017)

Reading time ~7min


Since mid-September, a new IoT botnet has grown to massive proportions. Codenamed IoT_reaper (Reaper for this article), researchers estimate its current size at nearly two million infected devices.

According to researchers, the botnet is mainly made up of IP-based security cameras, network video recorders (NVRs), and digital video recorders (DVRs).

Source code is derived based on some characteristics of Mirai botnet

Researchers from Chinese security firm Qihoo 360 Netlab and Israeli security firm Check Point have spotted and analysed the botnet as it continued to grow during the past month.

The new botnet borrows some of the source code from the Mirai IoT malware, which took down the popular security blog KrebsOnSecurity with a massive DDoS attack, ultimately forcing Brian Krebs, the security expert in charge of the blog, to find a new hosting company and seek shelter behind Google Shield for DDoS protection. However, there are also many new dependencies that make the botnet a standalone threat in its own right. It is believed that this new strain called Reaper could be even more virulent than Mirai.

The biggest difference between Reaper and Mirai is its propagation mechanisms. Mirai will scan for open Telnet ports and attempt to log in using a preset list of default or weak credentials. On the other hand, Reaper does not rely on a Telnet scanner, but primarily uses exploits to forcibly take over unpatched devices and add them to its command and control (C&C) infrastructure.

Netlab says that Reaper, at the time of writing, primarily uses a package for nine vulnerabilities: D-Link 1, D-Link 2, Netgear 1, Netgear 2, Linksys, GoAhead, JAWS, Vacron, and AVTECH. Check Point also spotted the botnet attacking MicroTik and TP-Link routers, Synology NAS devices, and Linux servers.

Reaper “baby” botnet is still growing

Netlab experts say the botnet it’s in incipient stages of development, with its operator busy adding as many devices to the fold as possible.

Exploits are added on a regular basis, while the C&C infrastructure expands to accommodate new bots.

Netlab says that it observed over two million infected devices sitting in the botnet’s C&C servers’ queue, waiting to be processed. Just yesterday, only one of the C&C servers was controlling over 10,000 bots.

Tomorrow is the one-year anniversary of the Dyn DDoS attack

The botnet was first spotted on September 13, around one year after experts first found the Mirai IoT malware. Tomorrow will be the one year anniversary of the Dyn DDoS incident, Mirai’s most impactful DDoS attack that brought down a large portion of the Internet across North America and Europe.

Both Check Point and Netlab point out that Reaper did not launch any DDoS attack, as of yet. Nonetheless, Netlab says Reaper comes with a Lua-based execution environment integrated into the malware that allows its operator to deliver modules for various tasks, such as DDoS attacks, traffic proxying, and other.

But Reaper’s Lua core also comes embedded with 100 DNS open resolvers, a functionality that will allow it to carry out DNS amplification attacks with ease.

Only time will tell if this botnet will ever be deployed in live attacks like Mirai, or will be a dud like Hajime.

This week, both the FBI and Europol warned about the dangers of leaving Internet of Things devices exposed online.

Immediate infection countermeasures

By using some tricks, we are able to draw some fairly accurate measurement on the scale of the infection, here are a sample of the numbers.

  • Number of vulnerable devices in one c2 queue waiting to be infected : over 2m;
  • Infected bots controlled by one c2 in last 7 days: over 20k ;
  • Number of daily active bots controlled by one c2 : around 10k for yesterday(October 19) ;
  • Number of simultaneous on-line bots controlled by one c2 : around 4k

IoC’s URL Links

hxxp://cbk99.com:8080/run.lua
hxxp://bbk80.com/api/api.php
hxxp://103.1.221.40/63ae01/39xjsda.php
hxxp://162.211.183.192/down/server.armel
hxxp://162.211.183.192/sa
hxxp://162.211.183.192/sa5
hxxp://162.211.183.192/server.armel
hxxp://162.211.183.192/sm
hxxp://162.211.183.192/xget
hxxp://198.44.241.220:8080/run.lua
hxxp://23.234.51.91/control-ARM-LSB
hxxp://23.234.51.91/control-MIPS32-MSB
hxxp://23.234.51.91/htam5le
hxxp://23.234.51.91/htmpbe
hxxp://27.102.101.121/down/1506753086
hxxp://27.102.101.121/down/1506851514

IoC – MD5 Hash Values

3182a132ee9ed2280ce02144e974220a
3d680273377b67e6491051abe17759db
41ef6a5c5b2fde1b367685c7b8b3c154
4406bace3030446371df53ebbdc17785
4e2f58ba9a8a2bf47bdc24ee74956c73
596b3167fe0d13e3a0cfea6a53209be4
6587173d571d2a587c144525195daec9
6f91694106bb6d5aaa7a7eac841141d9
704098c8a8a6641a04d25af7406088e1
726d0626f66d5cacfeff36ed954dad70
76be3db77c7eb56825fe60009de2a8f2
95b448bdf6b6c97a33e1d1dbe41678eb
9ad8473148e994981454b3b04370d1ec
9f8e8b62b5adaf9c4b5bdbce6b2b95d1
a3401685d8d9c7977180a5c6df2f646a
abe79b8e66c623c771acf9e21c162f44
b2d4a77244cd4f704b65037baf82d897
ca92a3b74a65ce06035fcc280740daf6
e9a03dbde09c6b0a83eefc9c295711d7
f9ec2427377cbc6afb4a7ff011e0de77
fb7c00afe00eeefb5d8a24d524f99370

References:

[1] IoT_reaper: A Rappid Spreading New IoT Botnet:  http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/