Gigantic IoT Botnet Has Grown in the Shadows Over the Past Month
A year after the Mirai IoT Botnet took down DynDNS and several of their customers, the Internet is facing a much greater and rapidly-emerging threat. A newly detected IoT botnet, dubbed IoT Reaper, is amassing millions of compromised devices under its control. At the time of this writing, IoT Reaper is believed to have infected over two million devices and is adding nearly ten thousand new devices every day. To put that number in perspective, Mirai was able to bring down DynDNS with just 100,000 compromised devices.
Mirai and vigilante IoT botnets such as Hajime actively scan for open telnet ports and use hard-coded or default credentials to spread. IoT Reaper spreads rapidly by scanning for exploitable and known, but unpatched vulnerabilities in popular routers, cameras, network DVRs, and other IoT devices. The malware is weaponized and integrates a full LUA execution environment, allowing the author to write very complex and efficient attack scripts. Researchers who examined IoT Reaper’s botnet code found that it contains more than 100 DNS open resolvers, which would enable it to launch powerful DNS amplification attacks.
At this time, researchers are unaware of who authored Reaper IoT or its intended purpose.
Zscaler Advanced Threat Protection will help prevent any infected devices from being able to communicate with the command and control servers. As covered in the ThreatlabZ blog on Mirai, Zscaler does not believe that customer devices will be involved in future IoT Botnet attacks, based on their research.