Reaper IoT botnet not fully mobilised, says report

The Reaper IoT botnet isn't as devastating as first thought, claims a report.

There's been a lot of talk about the Reaper botnet recently, but it may not be causing as much damage as experts initially thought.

A report by Arbor Networks, the security division of Netscout, claims that the botnet isn't fully mobilised and that up to two million devices haven't been activated as of yet.

Claimed to be one of the most devastating botnet attacks, the report says millions of potential Reaper bots haven't been included in the attack.

One of the most likely scenarios, according to the report, is that cyber crooks created Reaper as a booter service to tap into the Chinese DDoS-for-hire market.

The researchers, who have been analysing the botnet extensively, have reason to believe that it's a product of Chinese underground criminals.

They said Reaper displays code similar to the Mirai Internet of Things malware, but it's not an "outright clone". Mirai launched large-scale network attacks in August 2016.

Reaper can launch SYN-floods, ACK-floods, http floods and DNS reflection/amplification attacks. However, the researchers say it has other yet "to-be-determined" DDoS attack capabilities as well.

"Possible explanations include: misidentification due to flaws in the scanning code, scalability/performance issues in the Reaper code injection infrastructure, or a deliberate decision by the Reaper botmasters to throttle back the propagation mechanism," said the researchers.

Qihoo 360 Netlab was the first organisation to discover the Reaper botnet, and since then it's gone on to target a plethora of devices around the world.

In particular, it has impacted IP cameras, internet routers and storage devices from a range of tech companies, including Synology, Linksys, Netgear, D-Link, TP-Link, Avtech and MikroTik.

Last week, a spokesperson for Netgear said in a statement: "Netgear is aware of the IoT Reaper botnet that is spreading by exploiting vulnerabilities in network-connected products and we are actively monitoring the situation.

"To protect our customers, Netgear does continuously update our products' software to address potential security vulnerabilities that could be exploited by this type of malware.

"The most effective defense against this type of malware is to ensure that the software on your network-connected products are up to date.

The spokesperson added: "We strongly recommend that customers visit the Netgear support site to check they have the latest update and to follow the instructions for upgrading the firmware/software of their Netgear products.

"Netgear appreciates having security concerns brought to our attention and are constantly monitoring our products to get in front of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at Netgear."