Eight days have passed since researchers first warned of a new, potentially Internet-paralyzing botnet made up of cameras, routers, and other so-called Internet-of-things devices. There are good reasons for concern that Reaper, as the botnet has been dubbed, could pose as big a threat as Mirai, the mass IoT infection that last year caused chaos with record-setting distributed denial-of-service attacks.
The more nuanced reality is that Reaper exhibits some unusual behavior that makes it impossible to assess the real danger the botnet presents. Some facts that have come to light over the past few days strongly suggest its developers are amateurs and don’t pose the existential Internet threat initially thought, particularly when comparing Reaper to another established IoT botnet that has gone largely ignored for more than a year. Then again, Reaper exhibits other attributes that give it an advantage over other botnets. Chief among them is an infection mechanism unlike any seen before in an IoT botnet. Another advantage is that Reaper’s development platform is flexible enough to wage a suite of attacks that go well beyond mere DDoSes. With a few improvements and a few lucky breaks, Reaper could prove to be a real menace.
Sizing it up
The most important fact to emerge is Reaper’s true size. Researchers from security firm Check Point, who were the first to publicly report the botnet stunned their peers when they said it had infected an estimated 1 million organizations. That would dwarf just about every botnet—IoT or otherwise—seen to date, including Mirai, which was estimated to have infected anywhere from 145,000 to 230,000 devices.
In an e-mail, a Check Point spokesman said company researchers know of 30,000 infected devices and arrived at the 1 million-plus figure by extrapolating from data sets. In fact, other researchers have said Reaper’s size is significantly smaller. They said it has consistently fluctuated between 10,000 and 20,000 devices, and there’s no evidence it has anywhere near 1 million infected devices under its control.
China-based Netlab 360, which reported on Reaper a day after Check Point did, is one of at least four security companies that puts the infection estimate in the 10,000 to 20,000 range. Last week, Netlab 360 researchers accessed one of the botnet’s command and control servers and found the average number of devices it had actually exploited and taken control of over the previous seven days was just over 20,000. The number of daily active devices and the number of simultaneous online bots controlled by the server were even smaller, at around 10,000 for October 19 and around 4,000 for the same date respectively.
In an update posted Wednesday, Netlab 360 said the number of infected bots controlled by the server grew slightly, to 28,000. Those figures are consistent with a blog post Arbor Networks published Thursday. Researchers from both Radware and Ixia both told Ars they agree.
But NetLab 360 went on to report something else that suggests Reaper just might have the ability to quickly mushroom into a botnet of almost unimaginable size. The same Reaper control server had a queue of 2 million IoT devices that appeared to be vulnerable to the botnet’s advanced exploit mechanism but had not yet been compromised.
Not ready for prime time
The control server is made up of, among other things, a reporting mechanism—which tallies the results of Internet-wide scans for potentially vulnerable devices—and a loader, which injects specific exploit code into the scanned devices based on the specific vulnerability they were found to contain. Noting the disparity between the 2 million devices in the queue and the 28,000 infected bots, a Netlab 360 researcher wrote in Wednesday’s update:
Note that there is a significant difference between the two numbers, the real reason is yet to be determined. But if we have to take a guess, it might be that IoT_reaper has some problem identifying potential vulnerable devices, so most devices in its queue are not really vulnerable. Or it may be because the attacker’s loader lacks the needed capacity and all the tasks get backlogged, or maybe the attacker deliberately slow[ed] down the infection rate to reduce the risk of exposure.
Pascal Geenens, a researcher at security firm Radware, told Ars that estimating Reaper’s size is difficult for a host of reasons. For one, the bots seen were on just one server, and it’s possible there are others. Another is that, as was the case with Mirai and most other IoT botnets, Reaper infections don’t survive a reboot, meaning the number changes all the time.
In any event, a honeypot of laboratory devices Radware uses to monitor Reaper has logged only 4,000 unique IP addresses. The honeypot sees from 200 to 500 infection attempts each day, and on average it takes about 30 to 90 minutes for a successful infection. By contrast, a honeypot Radware used in August to monitor Mirai and a different, much more advanced IoT botnet researchers are calling Hajime, saw infections on average every two minutes.
Geenens said queries on the Shodan search engine indicates that of the nine or 10 exploits Reaper uses to spread, there are only 350,000 devices that might be vulnerable, and it’s possible many of those devices have been patched. It remains unclear why that number is so much lower than the 2 million potentially vulnerable devices Netlab 360 found in the control server queue. It’s possible that Reaper has better visibility than Shodan does, but the size of the discrepancy lends credence to the Netlab 360 theory that Reaper may not accurately measure the number of devices it can infect.
Amateur design
There are other reasons to doubt Reaper will pack the same potent threat Mirai did. Its control servers rely on static domain names and IP addresses, and it communicates over unencrypted HTTP channels. Both traits make it easy for both enterprise networks and ISPs to block the botnet should it begin a DDoS or other form of attack. Hajime, by contrast, is extremely hard to defend against and nearly impossible to take out. It uses multiple BitTorrent addresses that change the info hash, or unique digital fingerprint, each day. Hajime, which at its peak in April controlled about 300,000 infected devices, also uses robust encryption to communicate.
Unlike many Hajime and other botnets, Reaper doesn’t protect infected devices from being infected by other pieces of competing malware. That makes it easy for Reaper-infected devices to be disinfected or taken over by greyhat and blackhat hackers. Strangely, according Netlab 360, a new version of the malware is causing the botnet to scan only nine IP addresses for vulnerable devices. It’s hard to know what to make of the behavior, but at the moment it suggests Reaper isn’t nearly as aggressive as its peers.
None of this is to say that Reaper couldn’t one day pose a serious threat. As mentioned earlier, the botnet’s most innovative attribute is its exploit mechanism, which target specific firmware vulnerabilities in a host of widely used devices. That’s a vastly different approach from previously seen IoT botnets, which rely on a list of commonly used passwords to gain access. When Check Point and Netlab 360 first documented the malware last week, it was exploiting the following nine remote code-execution flaws:
- D-Link https://blogs.securiteam.com/index.php/archives/3364
- Goahead https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
- JAWS https://www.pentestpartners.com/blog/pwning-cctv-cameras/
- Netgear https://blogs.securiteam.com/index.php/archives/3409
- Vacron NVR https://blogs.securiteam.com/index.php/archives/3445
- Netgear http://seclists.org/bugtraq/2013/Jun/8
- Linksys http://www.s3cur1ty.de/m1adv2013-004
- D-Link http://www.s3cur1ty.de/m1adv2013-003
- AVTECH https://github.com/Trietptm-on-Security/AVTECH
An updated version of Reaper, Netlab 360 reported in Thursday’s update, adds this exploit against D-Link DIR-645 devices. Right now, there are patches available for most of the vulnerabilities Reaper exploits. But the addition suggests attackers are diligently expanding the base of vulnerable devices Reaper may be able to infect. Researchers from security firm F5 said that with further additions to the exploit war chest, the botnet may eventually be able to infect as many as 3.5 million devices.
A farewell to password attacks
An attack last year on customers of Deutsche Telekom in Germany and Eircom in Ireland demonstrates just how devastating an zeroday attack on IoT devices could be. It exploited a then-largely-unknown flaw in routers the ISPs provided to customers. The attack allowed the hackers to quickly commandeer more than 900,000 of them from Deutsche Telekom alone. In a stroke of luck, a router crash caused the attackers to lose control of their newly built botnet before they could use it in attacks. Internet users wouldn’t fare as well should a similar vulnerability have a more reliable exploit in the future.
Should Reaper add new exploits for widely used devices for which no patch will ever become available—which is an unfortunate reality in the IoT landscape—its exploit-centric approach could give it a major advantage over other IoT malware.
“While IoT malware started with simple attacks based on weak passwords, malware has been continuously evolving and taking more strategic approaches, such as cross-platform exploits, to impact a larger number of devices,” Ankit Anubhav, principal researcher with NewSky Security, wrote in a blog post published Tuesday. “The default password attack is almost near saturation, i.e. the devices which can be hacked easily via default passwords have already been hacked.”
Besides its ability to infect a potentially wider range of devices, Reaper also has an advantage over Mirai in that it has an update mechanism.
Putting it all together
Ultimately, Reaper contains a potentially game-changing infection mechanism, and its developers have demonstrated a willingness to build its existing arsenal of exploits. If its developers were to substantially overhaul their malware to add new exploits and better protect its control infrastructure, Reaper has the potential to grow into an unprecedented size. What’s more, the developers’ use of the Lua programming language makes it easy to use Reaper for a variety of attacks beyond DDoSes, Geenens said.
But so far, the threat of Reaper remains overshadowed by Mirai—for which source code is one download away—and Hajime—which is extremely hard to block or take down. While it’s worth keeping an eye on Reaper, the more alarming prospect still may be Mirai or Hajime adopting Reaper’s exploit mechanism.
“The biggest threat everyone should be scared about is that of the possibility for fragmented IoT botnets to get overrun by one strong and efficient botnet which can win the battle for IoT devices on every occasion, and will create a super-botnet of unequal and unseen size,” Geenens wrote in Wednesday’s Radware post. “IoT_Reaper has been thought of as a potential candidate, but all indicators lead one to believe that this will not be the case.”
