Botnets Growing, via Reaper and Sockbot Malware

Thus far, the largest DDoS attack ever (estimated at 1.2 Tbps) was powered by 100,000 enslaved bots, but that number could be eclipsed by even larger botnets that are recently being formed. In the past week security researchers have identified not one, but two malware types that infect devices to enslave them into IoT botnets: the Reaper, and Sockbot.

Several days ago Symantec researchers discovered the Sockbot malware on eight different apps in the Google Apps Store; Google has since removed those apps from its store. The Sockbot Android malware is so named because it connects to a command and control (C&C) server on port 9001, and the server requests the app to open a socket using SOCKS and wait for a connection.

Meanwhile, the Israeli security firm Check Point Technologies discovered “IoTroop,” another IoT malware that is recruiting vulnerable IoT devices into a botnet army that is spreading rapidly around the world and could soon be deployed in DDoS attacks. Other security firms have named it “Reaper.” It contains some code that is found in the Mirai botnet code that was unleashed in several massive DDoS attacks in late 2016, but it is reportedly more complex and powerful than Mirai. According to Wired magazine, “while Reaper hasn’t been used for the kind of distributed denial of service attacks that Mirai and its successors have launched, that improved arsenal of features could potentially allow it to become even larger—and more dangerous—than Mirai ever was.” The malware infects a device, and then the device itself searches for other vulnerable devices that could be recruited into the botnet.

What does this mean for network security staff? Beware the possibility of even larger DDoS attacks in the near future. What can be done to prevent attacks? Fighting off DDoS attacks must be a team effort;

  1. IoT device owners should make sure that they reset the default passwords that come with the devices
  2. Manufacturers should build better security features into their products
  3. Internet service providers must leverage their ability to detect spoofed IP addresses and block malicious traffic at ingress, by deploying automated, real-time DDoS protection. In doing so, ISPs could reduce the number and intensity of DDoS attacks by at least an order of magnitude.

For more information, contact us.