Security researchers at Qihoo 360 Netlab and Check Point reported about a new expanding botnet named IoT_reaper which exploits IoT devices vulnerabilities. This quickly spreading botnet was discovered in mid-September and its waiting lists now include more than 2 million devices. The number of active bots controlled by IoT_reaper is more than 10,000 per day. Most of the infected devices are IP-cameras, network IP-DVRs and digital video recorders.
Currently, IoT_reaper botnet is still in its early stages of growing. But the cybercriminals who operate this botnet are actively modifying the code to make it more advanced. The source code of IoT_reaper contains some fragments of the famous Mirai botnet code, but it also has a number of new features which make IoT_reaper more complex. If Mirai searches for open Telnet ports and tries to compromise the device using a list of common default and most popular passwords, the IoT_reaper botnet basically uses exploits to take control of vulnerable devices and add them to its C&C infrastructure.
Currently, IoT_reaper exploits the vulnerabilities in the D-Link devices (DIR-600 and DIR-300), Netgear routers and video surveillance systems (ReadyNAS Surveillance, DGN1000, DGN2200), Linksys routers (E1500 / E2500), and GoAhead, JAWS, Vacron and AVTECH IP cameras. IoT_reaper botnet also attacks the MicroTik and TP-Link routers, Synology NAS network drives and Linux servers.
Qihoo 360 Netlab and Check Point experts noted that they have not yet seen actual DDoS-attacks coming from the IoT_reaper botnet. The botnet includes an environment for executing scripts in Lua language, which allows authors to add modules for various malicious tasks, including DDoS attacks, traffic redirection, etc. Moreover, the IoT_reaper botnet has embedded more than 100 DNS open resolvers in the source file of Lua execution environment. This functionality allows the botnet to easily carry out DNS amplification attacks.