What is Botnet?
A botnet is a collection of internet-connected devices, each of which is running one or more bots. The term usually refers to a network of compromised computers whose security has been breached and control ceded to a third party, who then uses them for malicious purposes. Botnets are often assembled by compromising computer systems with malware such as trojan horses and computer viruses.
In the case of a botnet called "Reaper" (also known as IoTroop, or alternatively the "Internet of Things"), it is comprised mainly of compromised Internet-Of-Things devices such as routers, IP cameras, digital video recorders and even baby monitors.
Most victims don't even know that their device has been infected with a botnet. Once the device is compromised, it will run a script and participate in DDoS attacks without your knowledge or permission.
What is IoTroop/Reaper?
The Reaper Botnet was discovered by Check Point security researchers (thanks to Oren Koriat for letting us know via email). The botnet has already infected over 1 Million devices worldwide.
How is IoTroop/Reaper different from other Botnets?
Most botnets are created using computers, not Internet-Of-Things devices. This changes the game completely and shifts the motivation of those behind such projects. Since these are new players, they aren't as advanced as existing botnets. Some of the malware samples identified by Check Point researchers suggest that we are dealing with a new-age, unstable botnet which may still be in its trial stages.
It can control and disable internet-connected devices (which is not the case for classic computers), spread very quickly to other devices (which is not the case for classic computers), and can function autonomously without any human interaction (which is not the case with classic computers).
Reaper has a unique, never-before-seen architecture that includes several advanced features which are designed to make it more powerful and resilient. For example, during the time we were working on this blogpost, we witnessed it add 5,893 new devices to its network.
How does one become infected with IoTroop/Reaper?
The botnet spreads by continuously scanning the internet for insecure routers and other vulnerable devices that are using default passwords. Once a victim device is found, Reaper will infect it through known security weaknesses or passwords.
How can I see if my device is infected with Reaper?
Check Point researchers have written a proof-of-concept script that can be used to identify whether or not your device is affected by the Reaper Botnet. The script scans for open SSH ports which are typically left exposed and vulnerable on routers (and IoT devices). You can find the script here.
If your device is exposed and vulnerable, you should immediately follow these steps to secure it: Change its default password and update its firmware (if possible) or simply unplug it from the internet until you are able to complete those tasks. After that, read this blogpost for more information about how your device can become infected and how you can protect it.
How is Reaper being controlled?
Someone (or a group of people) is using the botnet to scan the internet for vulnerable devices, infect them and spread the attack further. This suggests that someone may be experimenting with the botnet to understand its inner workings before attempting something bigger.
Stay tuned for additional information about the Reaper Botnet. The best way to fight malware is by education; share this simple blogpost on Facebook and Twitter or in your WhatsApp group to help inform others about how their devices can become part of a botnet.