![](\"https:\/\/media.wired.com\/photos\/59ea6cf8ce22fd0cca3c52bb\/master\/pass\/Botnet-FINAL-843353850.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Andy Greenberg| Date: Fri, 20 Oct 2017 21:45:34 +0000<\/strong><\/p>\n The Mirai botnet, <\/span>a collection of hijacked gadgets whose cyberattack made much of the internet inaccessible<\/a> in parts of the US and beyond a year ago, previewed a dreary future of zombie connected-device armies run amuck. But in some ways, Mirai was relatively simple\u2014especially compared to a new botnet that's brewing.<\/p>\n While Mirai caused widespread outages, it impacted IP cameras and internet routers<\/a> by simply exploiting their weak or default passwords. The latest botnet threat, known as alternately as IoT Troop or Reaper, has evolved that strategy, using actual software-hacking techniques to break into devices instead. It's the difference between checking for open doors and actively picking locks\u2014and it\u2019s already enveloped devices on a million networks and counting.<\/p>\n On Friday, researchers at the Chinese security firm Qihoo 360<\/a> and the Israeli firm Check Point detailed<\/a> the new IoT botnet, which builds on portions of Mirai\u2019s code, but with a key difference: Instead of merely guessing the passwords of the devices it infects, it uses known security flaws in the code of those insecure machines, hacking in with an array of compromise tools and then spreading itself further. And while Reaper hasn\u2019t been used for the kind of distributed denial of service attacks that Mirai and its successors have launched, that improved arsenal of features could potentially allow it to become even larger\u2014and more dangerous\u2014than Mirai ever was.<\/p>\n \u201cThe main differentiator here is that while Mirai was only exploiting devices with default credentials, this new botnet is exploiting numerous vulnerabilities in different IoT devices. The potential here is even bigger than what Mirai had,\u201d says Maya Horowitz, the manager of Check Point\u2019s research team. \u201cWith this version it\u2019s much easier to recruit into this army of devices.\u201d<\/p>\n The Reaper malware has pulled together a grab-bag of IoT hacking techniques that include nine attacks affecting routers from D-Link, Netgear, and Linksys, as well as internet-connected surveillance cameras, including those sold by companies like Vacron, GoAhead, and AVTech. While many of those devices have patches available, most consumers aren\u2019t in the habit of patching their home network router<\/a>, not to mention their surveillance camera systems.<\/p>\n 'With this version it\u2019s much easier to recruit into this army of devices.'<\/p>\n Maya Horowitz, Check Point<\/p>\n Check Point has found that fully 60 percent of the networks it tracks have been infected with the Reaper malware. And while Qihoo 360's researchers write that some 10,000 devices in the botnet communicate daily with the command-and-control server the hackers control, they've found that millions of devices are "queued" in the hackers' code, waiting for a piece of automatic "loader" software to add them to the botnet.<\/p>\n Check Point\u2019s Horowitz suggests anyone who fears that their device might be compromised should check the company\u2019s list of affected gadgets<\/a>. An analysis of the IP traffic from those devices should reveal if they\u2019re communicating with the command-and-control server helmed by the unknown hacker that's administering the botnet, Horowitz says. But most consumers don't have the means to do that network analysis. She suggests that if your device is on Check Point's list, you should update it regardless, or even perform a factory reset on its firmware, which she says will wipe the malware.<\/p>\n As usual, though, it's not the owners of the infected machines who will pay the real price for allowing Reaper to persist and grow. Instead, the victims would be the potential targets of that botnet once its owner unleashes its full DDoS firepower. In the case of Reaper, the potentially millions of machines it's amassing could be a serious threat: Mirai, which McAfee measured as having infected 2.5 million devices at the end of 2016, was able to use those devices to bombard the DNS provider Dyn with junk traffic that wiped major targets off the face of the internet in October of last year<\/a>, including Spotify, Reddit, and The New York Times<\/em>.<\/p>\n Reaper has shown no signs of any DDoS activity yet, Qihoo 360 and Check Point note. But the malware includes a Lua-based software platform that allows new code modules to be downloaded to infected machines. That means that it could shift its tactics at any time to start weaponizing its hijacked routers and cameras.<\/p>\n Horowitz points out that hacking devices like IP-based cameras en masse doesn't provide many other criminal uses than as DDoS ammunition, though the motivation for any such DDOS attack is still unclear.<\/p>\n "We don't know if they want to create some global chaos, or do they have some specific target, vertical, or industry they want to take down?" she asks.<\/p>\n All of that adds up to an increasingly troubling situation: One where the owners of IoT devices are racing with a botnet master to disinfect devices faster than the malware can spread, with serious potential consequences for vulnerable DDoS targets around the world. And given that Reaper has far more sophisticated tools than Mirai, the impending volley of attacks may turn out to be even more dire than the last one.<\/p>\n