Last year, the Mirai botnet was used in massive DDoS attacks; however, the IoT Reaper botnet could redefine massive. The Mirai botnet, which mostly consisted of IoT devices, was capable of delivering DDoS attacks in excess of 1 terabit per second using just 100,000 malware infected devices.
The IoT Reaper botnet reportedly includes almost 2 million IoT devices, and infections with Reaper malware are growing at an alarming rate. An estimated 10,000 new IoT devices are infected and added to the botnet every day.
Researchers at Qihoo 360, who discovered the new botnet, report that the malware also includes in excess of 100 DNS open resolvers, making DNS amplification – DNS Reflection Denial of Service (DrDoS) – attacks possible.
Check Point has also been tracking a new botnet that includes an estimated 1 million devices, with 60% of the devices the firm tracks infected with the botnet malware. Check Point has called the botnet IoTroop, although it is probable that it is the same botnet as Qihoo 360 has been tracking. Check Point says it is “forming to create a cyber-storm that could take down the Internet.”
While the IoT Reaper botnet has existed for some time, it was not identified until September this year. Previously, the malware used to enslaves IoT devices was installed by taking advantage of default and weak passwords. However, that has now changed, and infections have been growing at an alarming rate as a result.
IoT Reaper is using nine different exploits for known vulnerabilities that have yet to be patched, with routers, cameras, and NVRs being targeted from more than 10 different manufacturers including router manufacturers Netgear, D-Link, Linksys, and surveillance camera manufacturers AvTech, Vacron, and GoAhead.
Unfortunately, while PC users are used to applying patches to keep their computers secure, the same cannot be said for routers and surveillance cameras, which often remain unpatched and vulnerable to infection.
At present the intentions of the actors behind the botnet are not known, but it is highly likely that the botnet will be used to perform DDoS attacks, as has been the case with other IoT botnets. Even though the number of enslaved devices is substantial, researchers believe the botnet is still in the early stages of development and we are currently enjoying the quiet before the storm.
If a botnet involving 100,000 devices can deliver a 1 terabit per second attack, the scale of the DDoS attacks with IoT Reaper could be in the order of tens of terabits per second. Fortunately, for the time being at least, the botnet is not being used for any attacks. The bad news is those attacks could well start soon, and since the malware allows new modules to be added, it could soon be weaponized and used for another purpose.