OReaper, also known as IoTroop or IoT_reaper, is a large botnet mainly comprised of IoT devices such as IP cameras, network video recorders (NVRs), and digital video recorders (DVRs). It was first discovered on September 13, 2017 and researchers estimate that, as of October 20, 2017, Reaper controls approximately two million devices. Although some of Reaper's code looks as thought it was borrowed from Mirai, its distribution method is different. Instead of using brute-forcing Telnet ports, Reaper spreads by exploiting known vulnerabilities in unpatched devices and adding them to its infrastructure. Currently, Reaper exploits the vulnerabilities outlined in the following links: AVTECH, D-Link (1), D-Link (2), GoAhead, JAWS, Linksys, Netgear (1), Netgear (2), and Vacron. At the time of writing, researchers have not yet observed a DDoS attack attributed to Reaper. Analysis of an associated malware sample revealed that Reaper contains a Lua execution environment and embeds nearly 100 open DNS resolvers, likely to allow the botnet owner to conduct DNS amplification attacks against targets.
Reporting and Technical Details:
- October 2017: A Gigantic IoT Botnet Has Grown in the Shadows in the Past Month (Bleeping Computer)
- October 2017: A New IoT Botnet Storm is Coming (Check Point)
- October 2017: IoT_reaper: A Rappid [sic] Spreading New IoT Botnet (360 Netlab Blog)
- October 2017: IoTroop Botnet: The Full Investigation (Check Point)
- October 2017: Fear the Reaper, or Reaper Madness? (KrebsOnSecurity)
- November 2017: 'Reaper': The Professional Bot Herder’s Thingbot (Dark Reading)