The Reaper botnet that had reportedly infiltrated more than a million organisations and was due to “take down the internet” has only recruited 10,000 to 20,000 devices, new research has found.
Researchers at Arbor Networks found that a further two million hosts have been been identified by the botnet’s scanners, but that they haven’t yet been co-opted to start launching attacks.
“Possible explanations include: misidentification due to flaws in the scanning code, scalability/performance issues in the Reaper code injection infrastructure, or a deliberate decision by the Reaper botmasters to throttle back the propagation mechanism,” Arbor said.
The botnet exploits vulnerabilities in a range of connected devices including IP-based cameras, routers, storage boxes and Wi-Fi points.
Arbor said it appears to be based on the infamous Mirai malware and suggested it’s likely to be a product of China’s criminal underground designed to serve the country’s DDoS-for-hire market:
“While Reaper is capable of launching SYN-floods, ACK-floods, http floods, and DNS reflection/amplification attacks, it is likely to have other, yet-to-be-determined DDoS attack capabilities, as well.”