Reaper madness fails to materialize, with the spread of the new malware not as extensive as originally estimated, claim Arbor Networks researchers.
The Reaper malware that recruits IoT devices to a botnet army may not be as catastrophic as originally supposed, according to a new report.
Researchers at IT security company Arbor Networks reckon that the botnet is now fully activated – but its actual size is around 10,000 to 20,000 bots in total. Earlier estimates made claims of over one million companies being infected.
“At this time, it is not clear why these candidate bots have not been co-opted into the botnet,” said researchers. “Possible explanations include: misidentification due to flaws in the scanning code, scalability/performance issues in the Reaper code injection infrastructure, or a deliberate decision by the Reaper botmasters to throttle back the propagation mechanism.”
DDos for hire
The company said that its current assessment of Reaper is that it is likely intended for use as a booter/stresser service (which are created to put target servers under so much strain that they crash), primarily serving the intra-China DDoS-for-hire market.
“Reaper appears to be a product of the Chinese criminal underground; some of the general Reaper code is based on the Mirai IoT malware, but it is not an outright Mirai clone,” said researchers.
They added that while Reaper is capable of launching SYN-floods, ACK-floods, HTTP floods, and DNS reflection/amplification attacks, it is likely to have other, yet-to-be-determined DDoS attack capabilities, as well.
Reaper size update
According to an update on the situation from IT security company Netlab360, the number of infected IoT bots controlled by hackers grew marginally to 28,000.
Researchers there speculated that the difference between the number of infected bots controlled by one controller and the number of potentially vulnerable devices reported may be that Reaper has some problem identifying potentially vulnerable devices, so most devices in its queue are not really vulnerable.
“Or it may be because the attacker’s loader lacks the needed capacity and all the tasks get backlogged, or maybe the attacker deliberately slow down the infection rate to reduce the risk of exposure,” said NetLab 360 researchers.
Rapid7’s IoT research lead, Deral Heiland, said that it’s critical that we hold manufacturers of IoT devices to a higher standard of security, and require that they support secure automated patching of their products as a prerequisite to release. “Without a move in that direction, it’s feasible that we will be having this same conversation 10 years from now,” he said.