A recently discovered form of botnet malware has been found rapidly spreading, with more than 2 million “internet of things” devices believed to have already been infected.

Dubbed IoT_Reaper by security researchers at Chinese security company Qihoo 360, the malware is based on the infamous Mirai internet of things worm that first compromised millions of devices in 2016 — but with some noticeable differences.

One of those differences is that Reaper doesn’t attempt to crack passwords on targeted devices. Instead, it spreads itself using known device vulnerabilities such as attempting to log in using a preset list of default or weak credentials via open Telnet ports. Qihoo 360 notes that Reaper currently has nine different packages that target vulnerabilities in devices made by D-Link, Netgear, Linksys, AVTech, Vacron, JAWS and GoAhead.

Putting the number of infected devices at the smaller but still significant figure of 1 million, researchers at Check Point Software Technologies Ltd. wrote late last week that “while some technical aspects lead us to suspect a possible connection to Mirai, this is an entirely new and far more sophisticated campaign that is rapidly spreading worldwide.”

Both companies said they have not detected the Reaper botnet being used for nefarious purposes so far, but given it has a limited number of purposes, it’s only a matter of time until those behind it start using it.

“In terms of attacking command, although we saw support of DDoS [distributed denial of service] attack in the source file … we have not seen actual DDoS attack so far,” the researchers at Qihoo 360 said, before adding that “this means the attacker is still focusing on spreading the botnets.” The Check Point researchers noted that “it is too early to guess the intentions of the threat actors behind it, but with previous botnet DDoS attacks essentially taking down the internet, it is vital that organizations make proper preparations.”

Operators of internet of things devices are advised to check that they are not exposing vulnerable devices to the internet, to apply any security patches that may be available for the device and, if they detect an infected device, they should immediately take it offline.

Photo: Peter/Wikimedia Commons