A Gigantic IoT Botnet has been discovered by Malware researchers at 360 lab.
The discovered IoT Botnet borrowed some code from the infamous Mirai botnet; however, this botnet does not require any password cracking. Instead, it relies on exploiting devices vulnerabilities. The 360 lab named it: IoT_Reaper
360: IoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the most recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than 10k per day. While at the same time, there are millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet.
The botnet is still in its early stages of expansion, but the author is continuously updating its code.
How is this different from Mirai?
IoT_Reaper has three main differences in vectors than those of Mirai botnet:
- There is no need for weak passwords. The botnet leverages vulnerabilities on the devices themselves.
- A LUA environment is supported, allowing more complex attacks.
- Scan behaviour is not aggressive, allowing scans to stay under the radar.
The lab identified 9 IoT vulnerabilities that are currently being exploited by the botnet:
- Dlink https://blogs.securiteam.com/index.php/archives/3364
- Goahead https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
- JAWS https://www.pentestpartners.com/blog/pwning-cctv-cameras/
- Netgear https://blogs.securiteam.com/index.php/archives/3409
- Vacron NVR https://blogs.securiteam.com/index.php/archives/3445
- Netgear http://seclists.org/bugtraq/2013/Jun/8
- Linksys http://www.s3cur1ty.de/m1adv2013-004
- dlink http://www.s3cur1ty.de/m1adv2013-003
- AVTECH https://github.com/Trietptm-on-Security/AVTECH
Check Point says, according to a report on The inquirer, so far, that it estimates that “over a million organisations have already been affected worldwide, including the US, Australia and everywhere in between.
It expects this number to keep growing, noting that “our research suggests that we are now experiencing the calm before an even more powerful storm. The next cyber hurricane is about to come.”
“It is vital to have the proper preparations and defence mechanisms in place before an attack strikes,” Check Point warns.
This the second malware related security news we are reported this month, the first one being Malware outbreaks leveraging Google Play Store.