The Internet of Screams

Mike Brancato
| 10/30/2017
The Internet of Screams

This Halloween, another danger might be lurking in the shadows. Researchers at Qihoo 360 and Check Point have detected a new botnet that is taking over embedded network devices commonly grouped together as part of the Internet of Things (IoT). This new botnet, nicknamed "Reaper," is currently accumulating millions of zombie devices over which it gains control. Its impact will be realized when hacktivists eventually use it to attack victims – a feature of a similar attack in 2016.

The Mirai Botnet

In October 2016, the Mirai botnet performed a large takeover of more than 2.5 million IoT devices. Mirai spread itself widely and took control of more devices by using default passwords that the owners had not changed. Vulnerable devices included IP cameras, DVR systems, and others, which are primarily embedded Linux devices, each customized for a specific task.

The most notable attack Mirai performed was against Dyn, a DNS provider. On Oct. 21, 2016, Dyn experienced multiple attacks against its infrastructure from more than 100,000 devices that were part of the Mirai botnet. The attacks took dozens of the most popular websites, or portions of them, offline. Affected sites included Twitter, Netflix, Amazon, and many others.

Reaper Adds New Tricks

Historically, botnets have used a single method to spread themselves and perform very simple attacks on victims. The Reaper botnet that is currently emerging is based on the Mirai botnet's source code and tactics. Reaper attempts to spread itself by using default credentials, just as Mirai did. However, Reaper also exploits vulnerabilities in unpatched IoT devices as well. Newer samples of Reaper include support for advanced attacks by including access to the Lua programming language.

Researchers have found Reaper samples with more than nine exploits for vulnerabilities in vendors’ devices and the software those devices use. When combined, the Reaper botnet’s exploits might be used to gain access to more than 1,250 devices made by more than 350 manufacturers or brands. As of Oct. 26, more than 1 million devices have reportedly been captured as part of the Reaper botnet. Many of these affected devices are surveillance cameras.

One of the exploits used by Reaper affects the GoAhead web service, a popular embedded web server used in many types of embedded devices, including printers, phones, network gateways, industrial control systems, and military devices. According to its website, GoAhead is used in millions of device models made by many of the most popular names in consumer, industrial, and commercial device manufacturing.

What to Expect

If the use of this botnet follows the pattern of previous attacks, hacktivists will lease the botnet to perform large-scale attacks. Since the botnet is distributed across the internet and the world, the primary type of attack generated by botnets is a distributed denial-of-service (DDoS) attack. These attacks are usually targeted, but as demonstrated last year, the attack against Dyn had an impact on thousands of websites. One challenge with these attacks is that the owners of the infected devices are typically not affected very much, and when device owners don’t experience direct effects, they don’t tend to prioritize the effort to fix their devices.

To help avoid becoming part of the Reaper botnet, device owners should take the following steps:

  • Block access from the internet to cameras and other embedded devices.
  • Resist forwarding web traffic to internal cameras or DVRs from the internet.
  • Check for and install updates to the firmware running on embedded devices.

Once part of the Reaper botnet, devices that gain access to an organization's internal network might be able to spread the botnet to other internal devices. Organizations that fear they might be the target of an attack can help diminish its effects by using DDoS mitigation and content delivery services to provide a front line of defense for websites. Individuals and organizations might lack the ability to determine if devices are infected until an attack begins. For devices suspected of infection, owners should follow specific guidance to restore the devices to a clean state. The process to restore devices will vary by device type.

Generally, in response to Reaper and future botnet attacks, device owners should follow a cautious protocol: Install the latest firmware and patches to prevent infection, take infected devices offline, reinstall the latest firmware on infected devices, and test the devices before returning them to their normal use.


Crowe is a Check Point Stars Partner