IoT_Reaper, or the Reaper in short, is a Linux bot targeting embedded devices like webcams and home router boxes. Reaper is somewhat loosely based on the Mirai source code, but instead of using a set of admin credentials, the Reaper tries to exploit device HTTP control interfaces.
It uses a range of vulnerabilities (a total of ten as of this writing), from years 2013-2017. All of the vulnerabilities have been fixed by the vendors, but how well are the actual devices updated is another matter. According to some reports, we are talking about a ballpark of millions of infected devices.
In this blogpost, we just wanted to add up some minor details to good reports already published by Netlab 360 , CheckPoint , Radware  and others.
When the Reaper enters device, it does some pretty intense actions in order to disrupt the devices monitoring capabilities. For example, it just brutally deletes a folder “/var/log” with “rm -rf”.
Another action is to disable the Linux watchdog daemon, if present, by sending a specific IOCTL to watchdog device:
After the initialization, the Reaper spawns a set of processes for different roles:
All the child processes run with a random name, such as “6rtr2aur1qtrb”.
The Reaper’s spawned child processes use a trivial form of string obfuscation, which is surprisingly effective. The main process doesn’t use any obfuscation, but all child processes use this simple scheme when they start executing. Basically, it’s a single-byte XOR (0x22), but the way the data is arranged in memory makes it a bit challenging to connect the data to code.
Main process allocates a table in heap and copies the XOR-encoded data in. Later when the child processes want to reference to particular encoded data, it decodes it in heap and references the decoded data with a numeric index. After usage, the data is decoded back to its original form.
The following screenshot is a good presentation of the procedure:
The Reaper polls periodically a fixed set of C2 servers:
weruuoqweiur.com, e.hl852.com, e.ha859.com and 18.104.22.168
The control messages and replies are transmitted over a clear-text HTTP, and the beacons are using the following format:
The protocol is very simple: basically there are only two major functions – shutdown or execute arbitrary payload using the system shell.
One of the child processes starts to scan for vulnerable victims. In addition to randomly generated IP addresses, Reaper uses nine hard-coded addresses for some unkown reason. The addess is scanned with a set of apparently random-looking set of ports, and then with a set of bit more familiar ports:
80, 81, 82, 83, 84, 88, 1080, 3000, 3749, 8001, 8060, 8080, 8081, 8090, 8443, 8880, 10000
In fact, the randomish ports are just byte-swapped presentation of the above port list. So for example, 8880 = 0x22b0 turns to 0xb022 = 45090. The reason for this is still unknown.
It is possible that the author was just lazy and left off some endianness handling code, or maybe it is some other error in the programming logic. Some of the IoT-devices are big-endian, so the ports need to be swapped in order to use them with socket code.
Screenshot of the hard-coded list of ports:
This is the list of hard-coded IP-addresses:
If the Reaper finds promising victim, it next tries to send HTTP-based exploit payload to the target. A total of ten different exploits have been observed so far, and they are related to IoT devices HTTP-based control interface. Here’s a list of the targeted vulnerabilities and HTTP requests associated with them:
1 – Unauthenticated Remote Command Execution for D-Link DIR-600 and DIR-300
Exploit URI: POST /command.php HTTP/1.1
2 – CVE-2017-8225: exploitation of custom GoAhead HTTP server in several IP cameras
GET /system.ini?loginuse&loginpas HTTP/1.1
3 – Exploiting Netgear ReadyNAS Surveillance unauthenticated Remote Command Execution vulnerability
GET /upgrade_handle.php?cmd=writeuploaddir&uploaddir=%%27echo+nuuo+123456;%%27 HTTP/1.1
4 – Exploiting of Vacron NVR through Remote Command Execution
GET /board.cgi?cmd=cat%%20/etc/passwd HTTP/1.1
5 – Exploiting an unauthenticated RCE to list user accounts and their clear text passwords on D-Link 850L wireless routers
POST /hedwig.cgi HTTP/1.1
6 – Exploiting a Linksys E1500/E2500 vulnerability caused by missing input validation
POST /apply.cgi HTTP/1.1
7 – Exploiting of Netgear DGN DSL modems and routers using an unauthenticated Remote Command Execution
GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&curpath=/¤tsetting.htm=1cmd=echo+dgn+123456 HTTP/1.1
8 – Exploiting of AVTech IP cameras, DVRs and NVRs through an unauthenticated information leak and authentication bypass
GET /cgi-bin/user/Config.cgi?.cab&action=get&category=Account.* HTTP/1.1
9 – Exploiting DVRs running a custom web server with the distinctive HTTP Server header ‘JAWS/1.0’.
GET /shell?echo+jaws+123456;cat+/proc/cpuinfo HTTP/1.1
10 – Unauthenticated remote access to D-Link DIR-645 devices
POST /getcfg.php HTTP/1.1
Output from IDAPython tool that dumps encoded strings (rickrolling is the second one):
Analysis on this post is based on a single version of the Reaper (md5:37798a42df6335cb632f9d8c8430daec)