Don’t fear the Reaper: Botnet ‘easy to stop,’ says security researcher

The new internet of things botnet, variously known as Reaper, IoT_Reaper or IoTroop, should be easy to stop if it ever attacks, because it uses fixed, hardcoded domain and internet addresses for its command and control, or C2, servers — meaning they can easily be cut off by service providers.
Getty Images

The new Internet of Things botnet variously known as Reaper, IoT_Reaper or IoTroop should be easy to stop if it ever attacks, a security researcher says.

Reaper uses fixed, hardcoded domain and internet addresses for its command and control, or C2, servers — meaning they can easily be cut off by service providers, Radware security researcher Pascal Geenens wrote Wednesday.

“The control servers, the architecture and the methods of operation of the Reaper botnet have been uncovered and are known,” Geenens wrote. “It uses a fixed domain and IP addresses for its C2 servers, which should make blacklisting or blackholing effective to stop any attacks it might attempt.”

Although the hacker that controls the botnet — the “herder” — has proved successful at building it up, the botnet has not yet been used for attacks. But there’s widespread concern nonetheless about how powerful a weapon it could be. The Mirai botnet brought the Internet to its knees on the east coast last year through a complex DDoS attack on internet routing provider Dyn.


Geenens, in common with many other cybersecurity researchers, has spent the week since Reaper was first identified picking apart the malware code — which is easily available to anyone from the botnet’s C2 server.

Arbor networks researchers say they believe the huge botnet was designed for the internal Chinese cybercrime market — probably for use in distributed denial-of-service (DDos) extortion attacks. “Our current assessment of Reaper is that it is likely intended for use as a booter/stresser service primarily serving the intra-China DDoS-for-hire market.”

But there’s still no consensus even on how large it is, let alone about its level of sophistication or the danger it represents.

“Reaper is almost showing off by not even trying the password cracking [used by Mirai], and instead just exploiting different vulnerabilities,” wrote researchers from F5 Networks, adding, “If you were the world’s best IoT botnet builder and you wanted to show the world how well-crafted an IoT botnet could be, Reaper is what you’d build.”

Geenens, on the other hand, labeled it “not sophisticated” comparing its HTTP plaintext communication every 10 seconds with hardcoded C2 servers to the Hajime botnet, which uses multiple encrypted and trackerless BitTorrent channels with daily changing infohashes.


On the other hand, Hajime used the Telnet hardcoded default passwords that Mirai first utilized — adding a couple of additional flourishes — whereas Reaper exploits a variety of published but widely unpatched vulnerabilities. It also includes a special software feature called a Lua execution environment, which makes it “flexible and agile in terms of adding new attack vectors compared to hardcoding them,” according to Geenens.

Hajime was about 300,000 devices strong at its peak in April. “Still today, over 30 percent of our IoT honeypot activity is attributed to Hajime,” said Geenens. He doesn’t provide an estimate of the current size of Reaper.

Arbor says Reaper is fluctuating between 10,000 and 20,000 devices.

F5 researchers, for their part, say they have data that “suggests [Reaper] could include over 3.5 million devices and could be capable of growing by nearly 85,000 devices per day.”

They don’t give details and its public relations company didn’t immediately respond to a request for elaboration.

Latest Podcasts