Codenamed IoT_reaper, it has swallowed two million devices which are mostly IP-based security cameras, network video recorders (NVRs), and digital video recorders (DVRs).
Chinese security firm Qihoo 360 Netlab and Israeli security firm Check Point have spotted and analysed the botnet as it continued to grow during the past month.
The botnet uses some code from the Mirai IoT malware, but there are also many new things that make the botnet a stand-alone threat.
Mirai scanned for open Telnet ports and attempted to log in using a preset list of default or weak credentials.
Reaper does not use a Telnet scanner, but primarily uses exploits to forcibly take over unpatched devices and add them to its command and control (C&C) infrastructure.
Netlab says that IoT_reaper primarily uses a package for nine vulnerabilities: D-Link 1, D-Link 2, Netgear 1, Netgear 2, Linksys, GoAhead, JAWS, Vacron, and AVTECH. Check Point also spotted the botnet attacking MicroTik and TP-Link routers, Synology NAS devices, and Linux servers.
Netlab experts say the botnet is in its incipient stages of development, with its operator adding as many devices to the fold as possible.
Check Point and Netlab point out that IoT_reaper did not launch any DDoS attack, but Reaper comes with a Lua-based execution environment integrated into the malware that allows its operator to deliver modules for various tasks, such as DDoS attacks, traffic proxying, and other.
Reaper's Lua core also comes embedded with 100 DNS open resolvers, a functionality that will allow it to carry out DNS amplification attacks.
The FBI and Europol warned about the dangers of leaving Internet of Things devices exposed online, but the world does not seem particularly concerned that their lightbulbs could take part in an attack on the power grid.