Arbor Networks: Reaper Madness
October 2017 by Arbor Networks
On October 19th, a team of security researchers warned of a new IoT Botnet that had already infected “an estimated million organizations” and that was poised to “take down the internet”. This report was subsequently picked up by the press and spread quickly via social media.
ASERT has been actively analyzing the Reaper IoT botnet;
• The current actual size of the Reaper botnet tends to fluctuate between 10,000 – 20,000 bots in total (although this could change at any time).
• An additional 2 million hosts have been identified by the botnet scanners as potential Reaper nodes, but have not been subsumed into the botnet. At this time, it is not clear why these candidate bots have not been co-opted into the botnet. Possible explanations include: misidentification due to flaws in the scanning code, scalability/performance issues in the Reaper code injection infrastructure, or a deliberate decision by the Reaper botmasters to throttle back the propagation mechanism.
• Our current assessment of Reaper is that it is likely intended for use as a booter/stresser service primarily serving the intra-China DDoS-for-hire market.
• Reaper appears to be a product of the Chinese criminal underground; some of the general Reaper code is based on the Mirai IoT malware, but it is not an outright Mirai clone.
• While Reaper is capable of launching SYN-floods, ACK-floods, http floods, and DNS reflection/amplification attacks, it is likely to have other, yet-to-be-determined DDoS attack capabilities, as well.
ASERT will continue to analyze the botnet malware and monitor for any signs of attack. In the meantime, Chinese internet security company Qihoo has published some interesting analysis of the Reaper IoT bot: