Two security companies warn of a fast-growing botnet consisting of vulnerable internet-of-things devices, such as IP cameras. According to one of the companies, the malware in question uses parts of the Mirai source code.
The Chinese Qihoo 360 writes that, however, the malware does not abuse weak passwords to infect devices like Mirai, but only uses various vulnerabilities. For example, it focuses on IoT devices from D-Link, Netgear and Linksys, among others. Security company Check Point also mentions these brands, but also names Synology, MikroTik and TP-Link. The company only writes that the botnet is growing rapidly, while the other company claims to have more precise figures.
For example, there are more than 10,000 bots online every day that are managed by one c2 server, while there are several such servers. Furthermore, there would be two million vulnerable devices at that server in the queue to be infected. The company does not report whether this also works for all devices. The botnet would still be at an early stage and the creator would take measures not to scan the internet too aggressively to avoid detection.
He also actively modifies the malware’s code and adds exploits for new vulnerabilities. Currently, the malware would use nine vulnerabilities to spread further. Qihoo 360 has named the botnet IoT_reaper. It would not have performed any DDoS attacks so far, but that is a possibility. The Mirai botnet, which also consists of vulnerable IoT devices, carried out a major DDO attack on DNS provider Dyn about a year ago.