Reaper IoT botnet ain't so scary, contains fewer than 20,000 drones

But numbers aren't everything, are they, Dyn?

Got Tips? 5 Reg comments

The Reaper IoT botnet is nowhere near as threatening as previously suggested, according to new research.

Check Point Software Technologies warned last week that a new IoT botnet might have already infected "an estimated million organisations".

Boffins at Arbor Networks, however, estimate that the actual size of the Reaper botnet tends to fluctuate between 10,000-20,000 bots, but warn that this number could change at any time.

An additional 2 million hosts have been identified by the botnet scanners as potential Reaper nodes, but these have not been subsumed into the zombie network for reasons unclear.

Possible explanations include misidentification due to flaws in the scanning code, scalability/performance issues in the Reaper code injection infrastructure, or a deliberate decision by the botmasters to throttle the propagation mechanism.

Do fear the Reaper: Huge army of webcams, routers raised from 'one million' hacked orgs


Arbor researchers reckon Reaper is likely intended for use as a booter/stresser service primarily serving the "intra-China DDoS-for-hire market".

The malware was first spotted in September by Qihoo 360 Netlab. In the weeks since, the botnet agent has been developed and refined to exploit vulnerabilities in wireless IP-based cameras, routers, storage boxes and Wi-Fi points from vendors including D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, and Synology.

In a statement received by The Register late on Thursday, Netgear urged customers to update the software on their devices.

NETGEAR is aware of the IoT Reaper Botnet that is spreading by exploiting vulnerabilities in network-connected products and we are actively monitoring the situation. To protect our customers, NETGEAR does continuously update our products' software to address potential security vulnerabilities that could be exploited by this type of malware.

The most effective defense against this type of malware is to ensure that the software on your network-connected products are up to date. We strongly recommend that customers visit the NETGEAR support site to check they have the latest update and to follow the instructions for upgrading the firmware/software of their NETGEAR products.

NETGEAR appreciates having security concerns brought to our attention and are constantly monitoring our products to get in front of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at NETGEAR.

Numbers aren't everything. It's estimated that only around 100,000 infected IoT devices serving as part of the Mirai botnet were needed to take out DNS provider Dyn and render many high-profile sites inaccessible as a result of the October 2016 attack. Arbor's research does, however, suggest that the Reaper IoT botnet is less of a threat than initially believed. ®

Sponsored: Ransomware has gone nuclear


Keep Reading

What's inside the mystery box?

Linksys forces password reset for Smart Wi-Fi accounts after router DNS hack pointed users at COVID-19 malware

Firm blames successful cred-stuffing attack for customer pwnage
Hand emerges from wave - help

DNS this week stands for Drowning Needed Services: Design flaw in name server system can be exploited to flood machines offline

Microsoft, BIND, Google, Cloudflare, Amazon, others fix up software or offer workarounds
Three Canadians in an office discussing maple syrup reserves

Canada's .ca overlord rolls out free privacy-protecting DNS-over-HTTPS service for folks in Great White North

L’ACEI lance le Bouclier canadien dans le but de protéger gratuitement la vie privée et la sécurité des Canadiens en ligne
An illustration of two young people looking over a fence at the internet, with the word 'censored' on the fence

Cloudflare family-friendly DNS service flubs first filtering foray: Vital LGBTQ, sex-ed sites blocked 'by mistake'

Updated For a biz that prides itself on not censoring the internet, it sure likes censoring the internet
Someone in a disguise next to Microsoft icons

Download this update from Oh, sorry, that was malware on a hijacked sub-domain. Oops

Lax DNS leaves door wide open for miscreants to impersonate Windows giant on its own websites

Russian super-crook behind $20m internet fraud den Cardplanet and malware-exchange forum pleads guilty

Now 29-year-old faces years in the clink after long battle to bring him to justice
Image by Arak Rattanawijittakorn

Yes, there's lots of COVID-19-themed scuminess around – but otherwise the level of cybercrime is the same

A shift in badness doesn't mean more badness overall, says Secureworks
annoyed at receiving spam email

Baby, I swear it's déjà vu: TalkTalk customers unable to opt out of ISP's ad-jacking DNS – just like six years ago

Updated Have you tried turning it off and on again? Yes!

Biting the hand that feeds IT © 1998–2020