Botnet evolves to spread its web of IOT devices
Botnet evolves to spread its web of IOT devices

Security researchers have discovered a new IoT botnet that they claim infected over one million organisations around the world and “more sophisticated than Mirai”.

Researchers from both Check Point and Chinese security company Qihoo 360 Netlab discovered the botnet over the last month. The botnet has already been found on millions of IoT devices including routers and IP cameras from companies including GoAhead, D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys and Synology.

Check Point said in a blog post that technical aspects lead it to suspect a possible connection to Mirai, but more dangerous as it is “evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016”.

"It is too early to guess the intentions of the threat actors behind it, but with previous botnet DDoS attacks essentially taking down the internet, it is vital that organisations make proper preparations," the company said.

It estimated that "over a million organisations have already been affected worldwide, including the US, Australia and everywhere in between.”

It warned that “we are now experiencing the calm before an even more powerful storm. The next cyber-hurricane is about to come”.

In a blog post, Qihoo 360 Netlab said that the threat partially borrows some Mirai source code, but is significantly different from Mirai in several key behaviours. The botnet no longer cracks any weak password, but only exploits IoT devices vulnerabilities. It also integrates a LUA (least privileged user) execution environment, “so more complex attacks can be supported and carried out”. The company noted that its scan behaviour is not very aggressive, “so it can stay under the radar”.

It said that the botnet has embedded more than 100 DNS open resolvers in its LUA sample, so DNS amplification attack can be easily carried out. 

“And a cross-checking with our DRDoS data feed indicates that about one-third of these open DNS servers have been used as reflector in real DNS amplification attacks. We have yet to see this type of config in any other Mirai variants,” said researchers.

Both Qihoo and Check Point said that Reaper has yet to launch a DDoS attack. Researchers at Qihoo said that the botnet is still in its early stages of expansion, “but the author is actively modifying the code, which deserves our vigilance

Tristan Liverpool, director of systems engineering, F5 Networks, told SC Media UK that a simple password upgrade is not sufficient to protect against the botnet, but is still highly recommended on all devices connected to the internet. “To stop the propagation of this botnet, all companies and consumers should ensure all their devices are running the latest firmware versions, which will have security patches included,” he said.

“However, as the Reaper botnet already has many devices under its control, it can still be used to cause harm to good internet citizens. With that in mind, everyone needs to prepare for the worst, as it is still unknown whether the motive of the perpetrators is chaos, financial gain or to target specific states or brands. For organisations to protect themselves, they must identify which information is critical and needs to be available anytime, anywhere. In summary, security can be built around these key areas and a contingency plan must be developed.”

Mark James, security specialist at ESET, told SC Media UK that as devices get cheaper, it can in some cases go hand in hand with reduced security - on the other hand to offer something that the end user can “plug and play” easily, they have to ship it as user friendly as possible.

“It's not always going to a tech guru installing; as this technology becomes more widely available, the average user needs to be able to order, receive, (pre)setup and forget as quickly as possible to make it desirable for the non-technical user to embrace. All of these features make the perfect recipe for disaster- one we have seen before, we will see again, and one which, worryingly, we will continue to see until security becomes a minimum standard for any internet connected device,” he said.