This isn’t your mama’s botnet. This is a proper botnet. If you were the world’s best IoT botnet builder and you wanted to show the world how well-crafted an IoT botnet could be, Reaper is what you’d build. It hasn’t been seen attacking anyone yet, and that is part of its charm. But, what is it doing? We’ve got some ideas.

Oct 31, 2017 Update

The intentions of Reaper are as unclear today as they were a week ago. We hold to our position that the interesting aspect of Reaper is not its current size, but its engineering, and therefore its potential.

From a pure research perspective, we’re interested in how Reaper is spreading. Instead of targeting weak auth like a common thingbot, Reaper weaponizes nine (and counting) different IoT vulnerabilities.

We think the current media focus on “the numbers” instead of the method is a tad myopic. See the next “update” section below for our clarification.

What’s in a Name?

The good people at 360’s Network Security Research Lab (“Netlab 360”) have been monitoring this thingbot the longest, and they named it IoT_reaper.1 They sort of sat on the story for a while, watching Reaper evolve. Not long afterward, Check Point Software Technologies discovered it and named it IOTroop, but Brian Krebs’ article2 has given the original moniker some momentum. So, let’s go with Reaper for now.

Size and Position

Krebs puts the current size of Reaper at over one million IoT devices. We have data that suggests it could include over 3.5 million devices and could be capable of growing by nearly 85,000 devices per day. The reason Reaper has gotten so big and, honestly, the reason we’re so impressed with its construction is that, unlike its predecessors, Mirai and Persirai, Reaper uses multiple attack vectors. Mirai used default passwords. Persirai used the blank username + password combo, which frankly is such a doofus security error on the part of the manufacturer that we feel it barely deserves to have a CVE.

Reaper is almost showing off by not even trying the password cracking, and instead just exploiting different vulnerabilities (RCEs, web shells, etc.) in nine different IoT vendor devices.

Oct 31, 2017 Update (continued)

Reports on the “size” of Reaper vary. We’ve scanned 750,000 unique devices that match the nine vulnerabilities currently exploited by Reaper. We regularly scan 85,000 new, “Reaper-compatible” devices per day. We don’t know which of them are actually infected, but there’s no reason that Reaper itself couldn’t infect them, unless its authors didn’t want it to.

The nine vulnerabilities currently used by Reaper are fairly rudimentary, as vulnerabilities go. If the thingbot authors were to include a few dozen existing vulnerabilities that fit Reaper’s device-targeting profile, we think they could grow the thingbot by an additional 2.75 million nodes. If they wanted to. Adding that 2.75 million to the 750,000 that are currently “Reaper-compatible” gives the number 3.5 million.

Note: We will not be disclosing the additional CVEs as that would simply expedite the authors’ exploits.