The Mirai botnet, a collection of hijacked gadgets whose cyberattack made much of the internet inaccessible in parts of the US and beyond a year ago, previewed a dreary future of zombie connected-device armies run amuck. But in some ways, Mirai was relatively simple—especially compared to a new botnet that's brewing.

While Mirai caused widespread outages, it impacted IP cameras and internet routers by simply exploiting their weak or default passwords. The latest botnet threat, known as alternately as IoT Troop or Reaper, has evolved that strategy, using actual software-hacking techniques to break into devices instead. It's the difference between checking for open doors and actively picking locks—and it’s already enveloped devices on a million networks and counting.

View more

On Friday, researchers at the Chinese security firm Qihoo 360 and the Israeli firm Check Point detailed the new IoT botnet, which builds on portions of Mirai’s code, but with a key difference: Instead of merely guessing the passwords of the devices it infects, it uses known security flaws in the code of those insecure machines, hacking in with an array of compromise tools and then spreading itself further. And while Reaper hasn’t been used for the kind of distributed denial of service attacks that Mirai and its successors have launched, that improved arsenal of features could potentially allow it to become even larger—and more dangerous—than Mirai ever was.

“The main differentiator here is that while Mirai was only exploiting devices with default credentials, this new botnet is exploiting numerous vulnerabilities in different IoT devices. The potential here is even bigger than what Mirai had,” says Maya Horowitz, the manager of Check Point’s research team. “With this version it’s much easier to recruit into this army of devices.”

The Reaper malware has pulled together a grab-bag of IoT hacking techniques that include nine attacks affecting routers from D-Link, Netgear, and Linksys, as well as internet-connected surveillance cameras, including those sold by companies like Vacron, GoAhead, and AVTech. While many of those devices have patches available, most consumers aren’t in the habit of patching their home network router, not to mention their surveillance camera systems.

'With this version it’s much easier to recruit into this army of devices.' Maya Horowitz, Check Point

Check Point has found that fully 60 percent of the networks it tracks have been infected with the Reaper malware. And while Qihoo 360's researchers write that some 10,000 devices in the botnet communicate daily with the command-and-control server the hackers control, they've found that millions of devices are "queued" in the hackers' code, waiting for a piece of automatic "loader" software to add them to the botnet.

Check Point’s Horowitz suggests anyone who fears that their device might be compromised should check the company’s list of affected gadgets. An analysis of the IP traffic from those devices should reveal if they’re communicating with the command-and-control server helmed by the unknown hacker that's administering the botnet, Horowitz says. But most consumers don't have the means to do that network analysis. She suggests that if your device is on Check Point's list, you should update it regardless, or even perform a factory reset on its firmware, which she says will wipe the malware.

As usual, though, it's not the owners of the infected machines who will pay the real price for allowing Reaper to persist and grow. Instead, the victims would be the potential targets of that botnet once its owner unleashes its full DDoS firepower. In the case of Reaper, the potentially millions of machines it's amassing could be a serious threat: Mirai, which McAfee measured as having infected 2.5 million devices at the end of 2016, was able to use those devices to bombard the DNS provider Dyn with junk traffic that wiped major targets off the face of the internet in October of last year, including Spotify, Reddit, and The New York Times.

Reaper has shown no signs of any DDoS activity yet, Qihoo 360 and Check Point note. But the malware includes a Lua-based software platform that allows new code modules to be downloaded to infected machines. That means that it could shift its tactics at any time to start weaponizing its hijacked routers and cameras.

Horowitz points out that hacking devices like IP-based cameras en masse doesn't provide many other criminal uses than as DDoS ammunition, though the motivation for any such DDOS attack is still unclear.

"We don't know if they want to create some global chaos, or do they have some specific target, vertical, or industry they want to take down?" she asks.

All of that adds up to an increasingly troubling situation: One where the owners of IoT devices are racing with a botnet master to disinfect devices faster than the malware can spread, with serious potential consequences for vulnerable DDoS targets around the world. And given that Reaper has far more sophisticated tools than Mirai, the impending volley of attacks may turn out to be even more dire than the last one.