'Cyber Hurricane': Millions of Devices Infected in Rapidly Replicating Botnet

In 2016, an Internet of Things (IoT) worm named Mirai infected some 2.5 million gadgets worldwide, building botnets that sent unstoppable floods of junk traffic and took down major internet services including Spotify, Paypal and Reddit.

Mirai impacted IP cameras and internet routers by simply trying default login and password combinations on them. But the new and recently-discovered botnet, known as IoT Troop or, more commonly, Reaper, has evolved beyond that simple tactic — not just exploiting weak or default passwords on devices it infects — but using more sophisticated software-hacking techniques to break into insecure gadgets even after passwords have been changed.

According to researchers at the Chinese security firm Qihoo 360 and Israeli firm Check Point, comparing Mirai and Reaper is like differentiating between identifying open doors and actively picking locks.

Although Reaper is based on portions of Mirai's code, there is a key difference: the malware doesn't guess, it uses an arsenal of common defects in IoT gadgets to gain entry and an array of compromising tools to further spread itself.

Reaper has pulled together IoT hacking techniques that include nine attacks affecting routers from D-Link, Netgear, and Linksys, as well as internet-connected surveillance cameras, including those sold by Vacron, GoAhead, and AVTech.

Although currently Reaper has shown no signs of any DDoS (Distributed Denial of Service) activity, it is too early to guess the intentions of its creators. This malware has the potential to do significantly more damage than Mirai and its successors did.

Reaper continues to evolve, its code continuously updated, and its authors can turn a network of infected IoT devices into a weaponized network anytime it wants, to attack websites and disrupt services.

"The main differentiator here is that while Mirai was only exploiting devices with default credentials, this new botnet is exploiting numerous vulnerabilities in different IoT devices," wrote Maya Horowitz, Check Point's research team manager, cited by Wired.

"The potential here is even bigger than what Mirai had," Horowitz added, observing that, "with this version it's much easier to recruit into this army of devices."

According to Check Point, Reaper has already enslaved millions of IoT devices, including routers and IP cameras manufactured by GoAhead, D-Link, TP-Link, Avtech, and others, and the bot continues to rapidly spread.

Horowitz noted that device owners should check IoT manufacturer lists of affected gadgets and perform a factory reset on its firmware, if required.

"Our research suggests that we are now experiencing the calm before an even more powerful storm. The next cyber hurricane is about to come." Check Point wrote, cited by Wired. "The next cyber hurricane is about to come."