Experts try to assess the size and capabilities of the Reaper botnet

Only several days ago on Geektimes information about the Reaper worm and the botnet of the same name was published . To some extent, the Reaper is the successor to Mirai , a worm that hit many tens of thousands of IoT devices last year. At the same time, with the help of these devices, combined into a single system, powerful attacks were made on hosting service providers, banking organizations and even private servers.

It may well be that the Reaper is more dangerous than Mirai, although experts still argue about this. Now more is known about the scale and capabilities of the new botnet than before thanks to the activities of several organizations working in the field of information security. The specialists of these companies carefully study the capabilities of the worm and botnet, regularly publishing the data obtained in the network.

Some of the facts obtained during the study of the botnet, say that the Reaper was created by the forces of amateurs, who did not expect that their creation will hit such a number of devices around the world. Speaking "amateur", we do not mean that the creators of the system are novices in software development. But this team (or one person?) Is clearly not very experienced in the development of malicious software and the creation of botnets. For example, this worm does not protect already infected devices from other malware. This is rather unusual for botnet software. At the same time, Reaper can search for infected Mirai devices and also infect them (this is about the same thing that Mirai did with its predecessor, Qbot).

Scale of disaster

Now the most important thing is the size of the botnet. Check Point specialists, who were the first to pay attention to Reapth, believe that the malware hit hundreds of thousands of devices around the world (it is possible that we are talking about a million IoT devices). This immediately puts this botnet at the forefront - if the score is indeed correct, then there is no equal Reaper.

The Check Point company found about 30 thousand infected gadgets. According to representatives of this company, the “victims” discovered by IoT are only a small fraction of the total number of systems affected by the worm. Representatives of the company argue that if extrapolated, it is quite possible to talk about a million “IoT-zombies” or even more of them. Such a number of infected devices, united in a single whole has not yet been.

True, there are other opinions. They are expressed by representatives of other companies, arguing that the number of infected devices can not reach 1 million, questioning the words Check Point. In general, the botnet is still not well understood, so there really is room for error.

The Chinese cyber security company Netlab 360, which also reported on Reaper, claims that at the moment the number of infected devices is tens of thousands, but not hundreds, and even less, not a million. In its latest report, this company announced 28,000 infected "bots." Representatives of Arbor Networks agree with their Chinese colleagues. However, most cyber security experts agree that the Reaper worm is extremely dangerous and can hit a lot of devices in a short time.

Attack Time Unknown

The malware acts in much the same way as its predecessors - it scans gadgets connected to the IoT network and identifies those that are vulnerable. There are quite a few of them, because manufacturers, unfortunately, are not at all eager to quickly fix problems with the network security of their gadgets. In this case, the Reaper does not act very quickly. Maybe because the attacking component of the malware does not have the ability to quickly attack its victims. Or maybe because the creators of the botnet specifically made it less aggressive, to make it more difficult for cybersecurity to detect.

Most interesting of all is that, unlike many other botnet-forming malware, the Reaper "dies" when the device is rebooted. That is, the real number of infected devices is constantly changing. Some IoT devices reboot quite often, respectively, the “volatility” of the botnet is very large.

According to Radware, every day the Reaper worm infects between 200 and 500 different devices. In order to infect a gadget, the worm leaves from half an hour to an hour and a half. The same company last year watched the spread of Mirai. He hit one device in just two minutes. Network security experts say that judging by the number of vulnerabilities in the IoT systems used by the worm, only about 350,000 devices worldwide are available for infection. This is only an assumption, which contrasts with the estimates of other companies, but it deserves the right to life.

Why is this all?

Another point is that the intentions of the creators of the Reaper is unclear. The main thing to remember is that so far there have been no attempts to carry out a DDoS attack. Why this botnet is created at all is unknown.

Plus, the management servers of the botnet use static names and IP addresses. And this makes the task of blocking such servers easy. Other botnets are much more dangerous in this regard. For example, Hajime is much harder to hit or disarm . It uses several BitTorrent addresses at the same time in order to change the hash or “digital fingerprint”, which happens literally every day.

Not so long ago, worms were created, “parasitic” on already infected devices. Some of these worms attack the tenant of the system and eliminate it. How does the system work? Until the end is unclear. Nevertheless, it became clear that if the generated botnet is still formed, it will be much easier to deal with it than with other software packages of this kind.

Who knows, maybe all these seeming “bloopers” are just the desire of the creators of the malware to make their offspring in the eyes of specialists less dangerous than their predecessors were. In one day, everything can change - the creators of a botnet will give a command and then we will see the transformation of this system into something much more dangerous than it is now.

As already reported, there is a possibility that the Reaper was not created at all for conducting DDoS attacks. He could have been designed for other needs. There are a lot of opportunities, from mining cryptocurrency (although there is not a lot on IoT systems) to creating a different type of distributed computer network. Mining bitcoins involved, for example, a variant of the ELF Linux / Mirai trojan with an added cryptocurrency unit. The number of coins that a single IoT device can mine is ridiculous, we are talking about millionths of a cryptocurrency unit. But if millions of devices are combined in a botnet, it will still make some money.

By the way, earlier it was said that a botnet scans a network for the presence of devices subject to the following vulnerabilities:

After updating Reaper, a tenth vulnerability has been added to this list, which affects D-Link DIR-645 devices. In addition, the malware may soon add an exploit for the vulnerability CVE-2017-8225 . More than hundreds of thousands of IoT devices are exposed to this vulnerability, most of them are cameras with the WIFICAM software module.

Representatives of the F5 company believe that if the botnet developers add a few more vulnerabilities, then the malware will be able to infect not tens of thousands, but millions of devices — more than 3.5 million. The advantage of the new botnet is that it has an update mechanism , unlike Mirai. That is, developers can add almost any functions at their discretion, at any time.

Worst of all, developers use the Lua programming language , which allows Reaper to be used not only for DDoS, but for a much wider range of tasks.

There is also the possibility that not Reaper will begin to infect millions of devices, but some other botnet, the creators of which will use the exploits, which are the basis of Reaper, as a basis. Anyway, the threat of a botnet activation is now very high, and no one can predict what the Reaper will do after the “awakening”.


All Articles