This article is more than 1 year old

Reaper IoT botnet ain't so scary, contains fewer than 20,000 drones

But numbers aren't everything, are they, Dyn?

The Reaper IoT botnet is nowhere near as threatening as previously suggested, according to new research.

Check Point Software Technologies warned last week that a new IoT botnet might have already infected "an estimated million organisations".

Boffins at Arbor Networks, however, estimate that the actual size of the Reaper botnet tends to fluctuate between 10,000-20,000 bots, but warn that this number could change at any time.

An additional 2 million hosts have been identified by the botnet scanners as potential Reaper nodes, but these have not been subsumed into the zombie network for reasons unclear.

Possible explanations include misidentification due to flaws in the scanning code, scalability/performance issues in the Reaper code injection infrastructure, or a deliberate decision by the botmasters to throttle the propagation mechanism.

Do fear the Reaper: Huge army of webcams, routers raised from 'one million' hacked orgs


Arbor researchers reckon Reaper is likely intended for use as a booter/stresser service primarily serving the "intra-China DDoS-for-hire market".

The malware was first spotted in September by Qihoo 360 Netlab. In the weeks since, the botnet agent has been developed and refined to exploit vulnerabilities in wireless IP-based cameras, routers, storage boxes and Wi-Fi points from vendors including D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, and Synology.

In a statement received by The Register late on Thursday, Netgear urged customers to update the software on their devices.

NETGEAR is aware of the IoT Reaper Botnet that is spreading by exploiting vulnerabilities in network-connected products and we are actively monitoring the situation. To protect our customers, NETGEAR does continuously update our products' software to address potential security vulnerabilities that could be exploited by this type of malware.

The most effective defense against this type of malware is to ensure that the software on your network-connected products are up to date. We strongly recommend that customers visit the NETGEAR support site to check they have the latest update and to follow the instructions for upgrading the firmware/software of their NETGEAR products.

NETGEAR appreciates having security concerns brought to our attention and are constantly monitoring our products to get in front of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at NETGEAR.

Numbers aren't everything. It's estimated that only around 100,000 infected IoT devices serving as part of the Mirai botnet were needed to take out DNS provider Dyn and render many high-profile sites inaccessible as a result of the October 2016 attack. Arbor's research does, however, suggest that the Reaper IoT botnet is less of a threat than initially believed. ®

More about


Send us news

Other stories you might like