Reaper Madness: The Enigmatic and Potentially Deadly Reaper Botnet

We don’t know where or when, but someday the Reaper will come for us all. I mean the Reaper botnet, of course. It is potentially the most dangerous botnet ever created and one of the most inept. It is a botnet that, at times, seems to be put together by a government committee and, at others, by innovative creators. But, because it contains elements that, if correctly used, can do great damage, we need to take it seriously.

Why do people want to create botnets anyway? No, it’s not always to bring down the internet. In fact, botnets often have more personal uses, like revenge on a hated employer or an ex-partner. Simply put, a botnet is a group of computers organized by attacker(s) to launch a coordinated attack. The attacker can control these computers remotely and make them do a number of things. They can be organized to send spam, send malware-infected spam, or participate in a DDoS (Distributed Denial of Service) attack. A DDoS  attack uses a large number of computers in a botnet to access and overwhelm a site’s servers, effectively shutting the site down. Though somewhat simple in principal, such an attack can be very costly to an internet-dependent site that is knocked offline. The average cost for a business brought down by a DDoS attack is $2.5 million. The Mirai botnet cost businesses at least $121 million. Insurer Lloyds of London, in a report on cyber attacks, estimated that extreme attacks on cloud services would cost between $15 billion and $120 billion. Attacks that take down major portions of the internet could produce even higher financial losses.

Here’s a financial breakdown by DDoS protection firm Neustar. Keep in mind that the totals are hourly.

neustarWhat most people don’t realize is that you can download software that will help you build your own botnet. You can also buy, rent, or even get free, some of the largest botnets available, like the Mirai botnet that brought down major portions of the internet. Some people buy botnets for their personal use but others build them in order to sell them to others. For a good way to visualize how fast botnets can grow, take a look at this website.

So where does this leave the Reaper botnet? We don’t know. All we’ve been able to discover is that someone has been trying to build an extensive botnet that has some characteristics not seen in other botnets. Whereas the Mirai botnet was formed by enslaving internet-connected devices that hadn’t had their default passwords changed, Reaper uses known exploits for targeted devices connected to the internet like routers and cameras. It uses known vulnerabilities that users have not yet patched. Through these, it takes control of the devices and uses them to transmit the malware to enslave other vulnerable devices, thus building the botnet.

Researchers were at first alarmed when security firm, Check Point, reported that a million devices may have been infected by Reaper. This is alarming because the notorious Mirai only used about 400,000 bots. Mirai only took over the devices while the device was online. A computer reboot removed the attacker. Reaper, however, seems to be more persistent and maintains control of the devices it infects unless the victim takes more serious actions, such as restoring factory settings to a router. However, if the attacker changes the username and password, even a reset can’t recover some devices. So far, from what I’ve been able to discover, Reaper hasn’t progressed this far. One of the firms that first discovered Reaper, Netlab 360, now estimates that only 28,000 devices are part of the botnet. Yet, lest you think a sigh of relief is appropriate here, it also said that as many as 2 million devices may be waiting in a cue to be processed for the botnet.

So what’s happening? This is where the amateurish nature of the botnet builders comes to the forefront. It seems to use a narrow range of IPs as its command and control (C2) centers. In other words, security software can easily block any attacks by simply blocking the IP address. So, when I entered the Reaper IP address on my computer, Malwarebytes blocked me from going to it.


On the other hand, the Reaper botnet hasn’t been activated yet, so it may be that the developers are in the “practice” phase; ironing out any bugs until the right moment. In other words, the amateur aspects of this botnet could suddenly disappear just before activation. If anything near the one million member botnet is activated, that’s when the trouble begins.

Some think this botnet may never be activated, or that it will be activated only after it is believed to be perfected. Maybe it is being designed to be sold to a wealthy buyer, like a nation state. Maybe a nation state is in the process of constructing it. That is certainly something to consider seriously. Such a powerful botnet in the hands of a rogue state could cause apocalyptic damage. I am not saying this lightly. Security firm F5 Labs made the following statement on the potential size of the Reaper botnet, “We have data that suggests it could include over 3.5 million devices and could be capable of growing by nearly 85,000 devices per day.” They arrived at this number in the following manner. (CVE stands for Common Vulnerabilities and Exposures.)

f5 diag

How serious this botnet could be will depend on how it is deployed. Sure, even if it is used as a simple DDoS attack on key internet nodes, it could cause havoc. But there are other vectors it could use. In June, the Department of Homeland Security warned that North Korea was setting up a botnet that targeted infrastructure. It is not clear how such an attack would work, but some speculate that a large botnet suddenly powering up all connected devices in a small area could stress the power grid to such an extent that it actually collapsed. Others claim that Russia is positioning itself to take out the power grids in several Baltic countries. Russia is not targeting the power stations directly with DDoS attacks, but the networked gateways that are used by power companies to control the grid.

Since Reaper has the ability to distribute malware, it could easily be armed with ransomware which it could distribute to vulnerable devices. Ransomware that encrypted key infrastructure components would work even better than a DDoS as it could disable them for a longer period of time. This actually happened when a ransomware attack took down the San Francisco metro system by shutting down all ticket machines (encrypting the hardware) until a ransom was paid. Hospitals are another frequent target of such attacks.

All we can do for now is to wait for the Reaper to appear. No one really knows the form it will take but it seems hard to believe that, after all the work put into it, it will turn out to be nothing more than an apparition.

reaper pic


3 thoughts on “Reaper Madness: The Enigmatic and Potentially Deadly Reaper Botnet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s