Reaper: The Next Evolution of IoT Botnets

istock 656395666

By now, everyone should be aware of two things related to IoT devices. The first is that these devices are being deployed everywhere. They range from wearable devices, smart appliances, and networking devices, to small, lightweight devices (such as sensors) that have been integrated into critical infrastructure, to Medical devices that monitor patients or deliver vital medications or treatments.

The second is that many of these devices are notoriously insecure. Vulnerabilities ranging from passwords hard-coded into firmware to junk code that can be easily exploited are only half the problem. The other is that most of these devices don’t run on normal operating systems, so patching or updating their software is difficult if not impossible.

Professional threat researchers, including our FortiGuard Labs team, began warning manufacturers and users several years ago that IoT vulnerabilities would be the source of the next big menace – long before IoT-based botnets made that plain to the world. The most notorious of these, launched at the end of the summer of 2016, was Mirai. It was responsible for the largest DDoS attack in history. This botnet, built using millions of compromised IoT devices, was used as a weapon to bring down a large chunk of the Internet, including the websites and services of some of the world’s largest online vendors and service providers.

Six months later, we saw the launch of the Hajime IoT-based botnet, which was significantly more sophisticated. Unlike Mirai, which was basically a blunt DDoS instrument, Hajime included a variety of sophisticated cybertools and was also cross-platform compatible, capable of supporting five different platforms. It also included a toolkit with automated tasks, a dynamic password list that could be remotely updated, and it could also download other code, like brickerbot.

Hajime also leveraged automation. For example, to evade detection Hajime was designed to be less noisy. One technique it used was to monitor and learn traffic and behavior thresholds so that it could effectively mimic acceptable human behavior. But one of its most alarming automated features was an embedded tool designed to remove those firewall rules used to detect it.

It also specifically targeted ISPs and MSSPs by identifying CPE devices and their CPE LAN Management Protocol and attempting to remove the rules that allowed the CPE device to talk to the service provider. Imagine a service provider with millions of devices that all go dark, and with no heartbeat to see, control, or manage these devices.

And now, a year later, an even more sophisticated IoT-based attack called Reaper has been discovered. Reaper bears some similarities to Mirai, such as its use of Mirai code to infect IoT systems. However, Reaper shows some significant evolutionary advances over both Mirai and Hajime. For example, samples we have analyzed show it has been armed with exploits covering nine different known vulnerabilities spanning a variety of IoT vendors. Vendors targeted by Reaper include NetGear, Linksys, GoAhead, and Avtech.

Reaper is also built around a Lua engine combined with scripts used to run its attacks. Lua is an embedded programming language designed to enable scripts to run. This means that its attack code can be easily updated to include more malicious options. Which clearly takes it another step forward in the evolution of IoT-based attacks.

Coupled with some basic machine learning or AI, for example, future generations of this malware should be able to recognize virtually any device it encounters, search for a related vulnerability, and then select the appropriate exploit for it from a library of solutions. Or even be able to develop a custom exploit.

And as emerging technologies like swarm intelligence begin to be integrated into botnet configurations, evolving them into something we call Hivenets, multiple infected devices will be able to work together as a single intelligent system. This intelligence would also enable this intelligent system to quickly identify new devices any member of the Hivenet encounters, probe for vulnerabilities, modify or build exploits, and then, once an exploit solution is discovered, share that intelligence with the rest of the swarm. The results of such an intelligent attack system would be potentially devastating.


The problem of vulnerable and compromised IoT devices isn’t going to go away on its own. While there are efforts underway to push manufacturers to accept responsibility for the security of the devices they sell, and various legislative bodies are considering imposing a consumer-friendly security rating system, these are still some ways off.

In the interim, here are a few things you can do to protect yourself from IoT-based attacks:

  1. Inventory control: Keep track of the kinds of IoT devices on your network. This should apply both to corporate-owned assets as well as those brought onto the network through BYOD protocols.
  2. Control access: Impose strict controls on what devices can access your network. Remember that wireless access only applies to some IoT devices. You will need to also have protocols in place for Bluetooth connections, radio-frequency-based devices spanning nearly a dozen different protocols, and smart devices hardwired into your network. Many of these devices access the network behind the firewall.
  3. Segment your IoT traffic: Once you can identify and control access for IoT devices, keep your IoT traffic separate from your other network segments to limit exposure and the spread of malware.
  4. Monitor outbound and lateral IoT traffic: Baseline the normal traffic of your IoT devices, then monitor for aberrant behavior so rogue devices can be automatically identified and quarantined.
  5. Practice good security hygiene: While it can be difficult or impossible to patch all your IoT devices, there are still many that can be upgraded or repaired.
  • Establish a routine for checking for updates and applying patches when they become available. Automate this process as much as possible.
  • Replace vulnerable devices when new versions with better security become available.
  • Establish IoT security protocols, such as making sure your AV and IPS solutions include IoT signatures.
  • Implement Sandboxing to discover unknown malware and compromised devices.

Even though IoT devices have become a mainstay of our digital world, they are still very much in their infancy. While we have every reason to believe that as this market matures that security will become a priority for manufacturers and consumers alike, in the meantime we all need to take extra precautions to protect ourselves from their potential to be compromised and exploited by cybercrime communities. This is a risk worth managing.

Read more on the Fortinet blog.