Reaper, a potential successor to the Mirai botnet, is gathering strength with estimates of its size ranging into the millions of Internet of Things devices. It targets an array of new vulnerabilities in smart devices as it conscripts new members into its botnet army.
Smart reasons to be nervous
Security researchers fear Reaper could launch an even bigger series of DDoS attacks than those launched through the Mirai botnet last year. Those attacks – the biggest yet seen on the internet – hijacked smart devices such as CCTV and video cameras and used them to launch DDoS attacks against targeted organizations including cyber journalist Brian Krebs, the French web hosting firm OVH, and the internet provider Dyn. The last attack had knock-on consequences felt across the web as some popular sites such as Reddit, SoundCloud, Spotify, and Twitter were knocked offline.
Inspired by Mirai, but more discrete
Reaper reuses some of the Mirai code and shares some operational similarities with it. They target IoT devices, enlist them into their botnet army, and both are technically considered computer worms as they automatically spread from one device to another.
But there are distinct differences. Reaper has taken a more sophisticated approach to finding victims than Mirai, hunting for nine vulnerabilities in a range of consumer and business-focused IoT devices. About half of these vulnerabilities are fairly new, giving Reaper a wide-open window of opportunity to exploit. Mirai primarily harnessed default user names and password combinations hardwired into devices – a common feature in older, first-generation smart devices.
Do you feel vulnerable?
So far, Reaper has also been far more discrete than Mirai as it searches for vulnerable devices. Whether accidental or by design, this has allowed Reaper to have a lower profile as it expands its reach. The big question mark is what it will do with the devices and networks that it is adding to its botnet army – will there be a new wave of DDoS attacks or will this army do something else like distributing spam or malware?
Be prepared, Avira SafeThings™ already is
If and when Reaper goes ballistic and tries to blow up the internet; SafeThings™ is already prepared to protect networks, smart homes, and the smart devices in these networks.
SafeThings™ is the new gateway security platform from Avira. Powered by our advanced AI and machine learning techniques, it automatically enforces a security and privacy umbrella at the gateway after identifying smart devices in the house and determining normal behavior patterns. It can run completely autonomously while still giving the end users a transparent look at their home network activities. Installed on top of existing infrastructure (router or at the internet gateway) by the provider, Avira SafeThings™ frees the end user from DIY installation headaches and the need to buy additional hardware.
Our security strategy for IoT botnets such as Reaper and Mirai utilizes three major features
- Safe conduct profiles: Immediately after deployment, SafeThings™ classifies network devices and limits their communication possibilities to what’s relevant for them and that device category. For example, we know a door lock shouldn’t transfer more than 5MB per day, a lightbulb shouldn’t send video streams to remote hosts, and a TV shouldn’t communicate when it’s turned off.
- Anomaly detection: SafeThings™ can detect in near real-time when a device enslaved in the Reaper botnet starts doing unusual actions such as attacking a remote host. Once it detects anomalous behavior, it will shut down the compromised communication, and issue a critical alert to the user / ISP command center.
- Security audit checks: SafeThings™ checks each network device if it has strong authentication credentials and for Internet-exposed ports (services). This info is stored and, depending on the severity of the issue; an action is automatically taken to close ports and/or advise the user to change device passwords.
Altogether, these three steps considerably reduce the attack surface within a network or a smart home – a very critical strategy feature for smart device botnets. And with Avira SafeThings™ these steps can be done automatically, without requiring the end user to do anything to secure their smart home.