Reaper IoT Botnet

The new modern attack surface encompasses many emerging technologies such as the Internet of Things (IoT). As IoT becomes more integrated into the business communications path and the security boundary of your organization begins to blur, the risk of vulnerable IoT devices such as routers, cameras and video recorders will continue to increase.

About the Reaper Botnet

On October 20, 2017, researchers at the Chinese security firm Qihoo 360 and the Israeli firm Check Point detailed a new IoT botnet based in part on the Mirai botnet code. The main difference between Mirai and this new botnet is that Reaper relies on exploits instead of brute-forcing passwords as its infection method. The Reaper malware is leveraging nine vulnerabilities affecting home routers made by Linksys and D-Link; IP cameras and digital network video recorders made by VACRON, NUUO, NETGEAR, AVTECH, Maginon, Avacom, and others. Some of these vulnerabilities have patches available but unfortunately, many consumers never take the necessary steps to patch IoT devices in their homes.

Current Impact

Researchers have found that several tens of thousands of devices have been infected and over two million are queued to be infected. At the moment, researchers have only been able to identify from the Command and Control (C&C) that the botnet has focused on growing its numbers and no malicious payload has been seen. However, the code for the malware is a modular one where components can be loaded to expand the botnet’s capabilities, which makes the potential of someone using the botnet for other attacks very high.

Detection of Vulnerable Devices

Tenable.io Vulnerability Management and Nessus provide you with plugins to detect IoT devices vulnerable to the Reaper IoT botnet. The vulnerabilities detected are:

• D-Link 850L RCE (103114)
• GoAhead Credential Leak (102174)
• NUUO NVR / ReadyNAS Surveillance RCE (103928)
• Vacron NVR RCE (104124)
• NETGEAR DGN RCE (104128)
• Linksys E1500/E2500 Authenticated RCE (104129)
• D-Link DIR-300/DIR-600 RCE (104126)
• AVTech Multiple Vulnerabilities (104102)
• D-Link DIR-635L Credential Leak (66238)
• MVPower NVR RCE (104144)

Tenable will continue to monitor the Reaper botnet and add additional coverage if new exploits are added to the Reaper malware.

Wrap-up

Botnets often use well-known vulnerabilities & exploits to propagate their code to devices which in turn become bots. These well-known vulnerabilities can often be remediated either through patches or software updates. Implementing a proactive security program that includes regular patching and software updating is one of the best strategies you can use to prevent botnets from growing. Make a regular habit of scanning your IoT devices and updating them as necessary, to protect your assets.

For more information

• Learn more about Tenable.io, the first vulnerability management platform for all modern assets
• Get a free 60-day trial of Tenable.io Vulnerability Management

Many thanks to the Tenable research team for their contributions to this blog.