The Merkle

The Reaper Is Grim – What to Expect From the Latest Botnet

Using a network of internet-connected devices, botnets efficiently steal data, deny services, send spam, and perform a bevy of other frustrating and destructive actions against unassuming users. Botnets aren’t the newest malware on the web, but they continue to be effective at spreading malicious code and gaining fame and fortune for their creators. In fact, just this month, Israeli and Chinese security firms identified what could develop into the largest and most dangerous botnet ever: Reaper.

Disclosure: This is a Sponsored Article

Reaper’s Discovery

In the last, lingering days of September, an Israeli firm noticed that their security software was logging increasing numbers of attempts to exploit vulnerabilities in Internet of Things (IoT) devices. Meanwhile, a Chinese security firm was noticing the same odd behavior, and they managed to catch the code responsible. After some research, both groups uncovered sufficient evidence that the attacks were the work of a new botnet which has already grown to massive proportions. Initially dubbed “IoTroop” by the Israelis but quickly rebranded as “Reaper” thanks to the Chinese, the botnet is true to its newest name: It is slow, but it is diligent, and it has already claimed untold millions of machines.

Reaper’s Framework

Much of Reaper is built on the footprint of a previous botnet, Mirai, which made its debut in August 2016. Hackers lovingly built Mirai to seize control of as many IoT devices as possible and launch enormous denial-of-service attacks at targeted victims. The attempt was incredibly successful, preventing several websites and service providers from functioning effectively, and to rub salt in the wound, Mirai’s creators released the worm’s source code, spawning dozens upon dozens of clones. One of them, affecting infrastructure provider Dyn, attacked hosting firms for important web destinations like Reddit, Twitter, Spotify, and SoundCloud, rendering those sites unavailable for embarrassingly long periods.

Mirai was so effective because it used a cache of default passwords for IoT devices and tested them one after the other to eventually gain access to machines and networks. Reaper doesn’t rely on this slow and fallible technique; instead, Reaper has memorized vulnerabilities in IoT devices, diligently poking and prodding for weaknesses it knows is there, until it infiltrates machines. Though patches exist for most IoT security vulnerabilities, few users bother updating software for things, leaving them open to attack.

Reaper’s method is faster and easier, and it can learn about new vulnerabilities as it goes. As a result, the botnet has grown to unbelievable proportions. The Israeli firm believes that 60 percent of IoT networks are compromised; the Chinese are certain more than 10,000 devices communicate regularly with the command-and-control server, but millions of devices are already queued, waiting patiently to be added to the botnet.

Reaper’s Potential

Reaper’s size makes its existence particularly troubling. Though the botnet has not acted yet, it is incredibly unlikely that hackers amassed this network of zombie devices for no purpose. Reaper could easily make denial-of-service attacks akin to Mirai’s clones, striking the internet’s pressure points and causing widespread disruption of services. If the botnet is powerful enough, cybercriminals might be able to leverage their firepower for money from governments, service providers, or civilian users.

Then again, Reaper might not exist to attack. Some botnets function as distributed proxies or anonymity networks, which helps hackers become untraceable as they perform other nefarious deeds, such as testing stolen credit cards or exchanging pirated media. The botnet might also exist to give hackers a platform from which they can explore and exploit other devices in more fecund networks — such as businesses. Regardless of its objective, Reaper threatens security and privacy, and it must be stopped.

Reaper’s Downfall

On one hand, device owners and users need fear little from Reaper, as denial-of-service attacks typically target high-profile victims. On the other hand, civilians around the world were impacted by Mirai’s success in shutting down popular websites, so IoT users should do what they can to protect their devices from Reaper. The first step is having access to trustworthy internet support, which should be able to properly install IoT devices and maintain their security with regular updates and patches. Businesses wary of attack should take potentially infected devices offline until they are certain of Reaper’s reach.

Fortunately, Reaper might not ever swing its scythe. Authorities have recently identified, arrested, and sentenced the authors of Mirai, who might also be behind the Reaper botnet. Still, it is better to be safe than sorry; this could be the calm before a massive digital storm, and anyone with IoT devices should investigate their safety as soon as possible.