The spiritual successor to the Mirai botnet is now looming inside millions of IoT devices. Will it wreak havoc on the Internet, or can we stop it in its tracks?
Remember Mirai? I don’t blame you if you can’t. A lot has happened since that day in October 2016 when much of the internet crashed as Mirai took down swaths of web servers residing on the East Coast of the United States. Since then, we’ve had WannaCry, NotPetya and the Equifax breach occupy the news and it seems like cyber attacks are becoming common place.
Damage Caused By The Mirai Botnet
Ultimately, Mirai crashed much of the internet by creating a botnet out of Linux IoT devices with little or no password protection, such as unprotected IP Cameras and home routers. Each of these devices was then used as a bot to request small amounts of bandwidth from target websites. Mirai ultimately enlisted over 100,000 devices causing the normal traffic load on target servers to exceed capacity by 10 to 20 times and creating the largest DDoS attack ever seen.
Related Article: CCleaner Supply Chain Attack Exposes Millions Of Windows Users
This DDoS attack started by going after KrebsOnSecurity, a website created by cyber security journalist, Brian Krebs. His web servers received botnet traffic as a high as 620 Gbps. Other websites saw traffic to their websites go as high as 1 Tbps. The botnet took a particular aim at Dyn, a DNS service based in New Hampshire, in the end effecting PayPal, Reddit, Netflix, Twitter, and many more popular services.
IoTroop or Reaper Looming On The Horizon
Well, it turns out there is another botnet possibly based on Mirai that is lying dormant and may take a death grip on the Web the likes of which we’ve never seen before. This version of the botnet is called Reaper or IoTroop, and the name is fitting. This botnet is enlisting some 10,000 IoT devices a day as bots and may just give the challenge of taking down the whole internet a run for its money.
What’s interesting is we know about it before it has been unleashed, unlike Mirai. Checkpoint Research, an Israeli security firm posted about the growing botnet last week. Checkpoint Research goes into detail about the worm building this botnet, which you can read about here.
In a nutshell, this worm spreads from device to device using known exploits in devices and already resides in millions of devices. IoTroop is different than Mirai in that this isn’t a case of poor and default passwords protecting devices.
Below is a full list of effected devices from Checkpoint Research:
|
Vendor |
Protection Name |
|
GoAhead |
Wireless IP Camera (P2P) WIFICAM Cameras Information Disclosure |
|
Wireless IP Camera (P2P) WIFICAM Cameras Remote Code Execution |
|
|
D-Link |
D-Link 850L Router Remote Code Execution |
|
D-Link DIR800 Series Router Remote Code Execution |
|
|
D-Link DIR800 Series Router Information Disclosure |
|
|
D-Link 850L Router Remote Unauthenticated Information Disclosure |
|
|
D-Link 850L Router Cookie Overflow Remote Code Execution |
|
|
Dlink IP Camera Video Stream Authentication Bypass – Ver2 |
|
|
Dlink IP Camera Luminance Information Disclosure – Ver2 D-Link DIR-600/300 Router Unauthenticated Remote Command Execution |
|
|
Dlink IP Camera Authenticated Arbitrary Command Execution – Ver2 |
|
|
TP-Link |
TP-Link Wireless Lite N Access Point Directory Traversal |
|
TP-LINK WR1043N Multiple Cross-Site Request Forgery |
|
|
Netgear DGN Unauthenticated Command Execution Netgear ReadyNAS Remote Command Execution |
|
|
NETGEAR |
Netgear DGN2200 dnslookup.cgi Command Injection |
|
Netgear ProSAFE NMS300 fileUpload.do Arbitrary File Upload |
|
|
NETGEAR Routers Authentication Bypass |
|
|
NETGEAR ReadyNAS np_handler Code Execution |
|
|
Netgear R7000 and R6400 cgi-bin Command Injection |
|
|
AVTECH |
AVTECH Devices Multiple Vulnerabilities |
|
MikroTik |
MikroTik RouterOS SNMP Security Bypass |
|
MikroTik RouterOS Admin Password Change |
|
|
Mikrotik Router Remote Denial Of Service |
|
|
Linksys |
Belkin Linksys WRT110 Remote Command Execution – Ver2 |
|
Linksys WRH54G HTTP Management Interface DoS Code Execution – Ver2 |
|
|
Belkin Linksys WRT110 Remote Command Execution |
|
|
Belkin Linksys Multiple Products Directory Traversal |
|
|
Belkin Linksys E1500/E2500 Remote Command Execution |
|
|
Cisco Linksys PlayerPT ActiveX Control Buffer Overflow |
|
|
Cisco Linksys PlayerPT ActiveX Control SetSource sURL Argument Buffer Overflow |
|
|
Synology |
Synology DiskStation Manager SLICEUPLOAD Code Execution |
|
Linux |
Linux System Files Information Disclosure |
Can We Stop IoTroop Or Is It Too Late?
Security researches have caught this botnet in its tracks, so there may be time to stop it before it attacks. A good way to think of these botnets is like a ticking time bomb. If you find the bomb in time, experts have a chance to dismantle it. If it goes unnoticed however, you can expect a messy day for the Internet some time in the future.
It isn’t like these botnets just cause issues with services we use for entertainment and social media. Our world is so wired into web services, that when these web services get taken down en masse, it can cause issues with critical infrastructure, such as the electrical grid, hospitals, etc.
What you can do now is make sure you patch all your IoT devices and routers. It also appears that simply changing your password on any home-based IoT devices (routers, IP cameras, etc.) will defeat the bot on infected devices. It won’t harm you personally or your hardware, but it will have larger implications if Reaper isn’t thwarted.