Anti-Malware , Data Breach , DDoS

The Next IoT Botnet Has Improved on Mirai

Called Reaper or IoTroop, Botnet Exploits Vulnerabilities
The Next IoT Botnet Has Improved on Mirai
After Reaper malware infects an IoT device, the device passes the infection on. (Source: Check Point)

One year ago, the prediction that the "internet of things" would turn malicious on a large scale came true. The Mirai botnet infected millions of IP cameras, routers and digital video recorders. Then came the chaos: distributed denial-of-service attacks that disrupted Amazon, PayPal, Spotify and Twitter (see Mirai Botnet Pummels Internet DNS in Unprecedented Attack).

See Also: How to Scale Your Vendor Risk Management Program

Mirai sought to take over the easy targets: IoT devices with default or weak authentication credentials. But researchers have found a new IoT botnet that instead exploits security vulnerabilities, a troubling development.

The security company Check Point, which published a blog post on Friday, says it first noticed the botnet late last month. Since then, 1 million organizations have been infected, it writes.

The malware, which is being referred to as Reaper or IoTroop, has been targeting devices such as IP cameras made by GoAhead, D-Link, TP-Link, AVTECH, Netgear, MikroTik, Linksys and Synology, according to Check Point.

"While some technical aspects lead us to suspect a possible connection to Mirai, this is an entirely new and far more sophisticated campaign that is rapidly spreading worldwide," Check Point says.

Synology says attackers are using CVE-2013-6955 to compromise its storage-related products. The flaw was patched in September 2014, and the company is encouraging users to apply the security fix, a spokeswoman says.

Fast Development

Check Point says it has identified the types of vulnerabilities that Reaper/IoTroop is exploiting. For example, IP cameras and routers from D-Link - one of the major manufacturers of IP cameras and routers - are being attacked through remote code execution flaws and other known flaws.

Qihoo 360, a Chinese security vendor, published more information the same day as Check Point. It detected Reaper on Sept. 13 and says it borrows some code from Mirai.

"Currently, this botnet is still in its early stages of expansion," Qihoo 360 writes. "But the author is actively modifying the code, which deserves our vigilance."

Qihoo 360 says it has identified nine exploits for known vulnerabilities integrated into Reaper. Over the last 10 days, whomever is developing Reaper has added more exploits. In one instance, Qihoo says it only took two days for an exploit for a network video recorder made by Vacron to be integrated into Reaper after the vulnerability became public.

Gathering More Bots

For the moment, Reaper seems focused on spreading itself, Qihoo 360 says. Infected devices are seeking other devices to infect. Check Point says 60 percent of the corporate networks that are part of its ThreatCloud managed security service had devices infected with Reaper.

And although the compromised devices haven't been used for a DDoS attack, that appears to be coming.

Reaper is coded with an execution environment called Lua, which is a popular scripting language for gaming applications, including World of Warcraft and Angry Birds. Qihoo 360 says the use of Lua means Reaper can be loaded with "complex and efficient attack scripts."

There are indications that Reaper may be used for DDoS attacks that leverage DNS, or the Domain Name System. DNS infrastructure translates domain names into IP addresses that can be called into a browser.

DNS-related DDoS attacks are a powerful way to cause disruption. In October 2016, Mirai-infected bots were trained on Dyn, a networking company that provides DNS services. The DDoS attack executed against Dyn meant some web surfers could not navigate to Amazon, PayPal, Spotify and Twitter (see Botnet Army of 'Up to 100,000' IoT Devices Disrupted Dyn).

Embedded in Reaper are more than 100 open DNS resolvers. Anyone can use an open DNS resolver for DNS-related lookups. Those types of servers have long been abused by attackers, which spoof requests in order to send the much larger DNS responses to the victim's network in what are known as amplification attacks.

About a third of the open DNS servers identified within Reaper have been used in amplification attacks, Qihoo 360 writes.

Appealing to Attackers

Despite last year's Mirai problems, IoT devices are still a trouble-plagued area. While there's broader awareness of the issues, transitioning from years of poor coding and security practices doesn't happen overnight.

Patching procedures and regimes for IoT devices are far more disjointed than desktop computers or mobile devices. And even if a patch is released, owners of the devices may not know, meaning that if manual intervention is required to update the devices, it most likely will be unattended.

IoT makers have fast product development cycles, and often don't support products beyond a few years. Consumers and businesses often use IP cameras and routers long beyond their service life. If a device still works, there's no compelling reason to replace. And that's what makes these devices so appealing to attackers.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network