Security researchers have uncovered a major new botnet of over 100,000 compromised machines, made up mainly of home routers with UPnP enabled.
Netlab 360 researchers Hui Wang and ‘RootKiter’ explained in a blog post that the main target is a vulnerability in the UPnP feature from Broadcom, which is widely available: in fact, 116 infected device models were found. These included routers made by D-Link, Linksys, ZTE, TP-Link, Zyxel, Technicolor and many more.
“The interaction between the botnet and the potential target takes multiple steps, it starts with tcp port 5431 destination scan, then moving on to check target’s UDP port 1900 and wait for the target to send the proper vulnerable URL,” they explained.
“After getting the proper URL, it takes another four packet exchanges for the attacker to figure out where the shellcode's execution start address in memory is so a right exploit payload can be crafted and fed to the target.”
Once a target is infected it will communicate with popular mail servers like Outlook, Hotmail, and Yahoo Mail — leading the researchers to believe the botnet’s primary purpose is to send spam.
Scanning activity is not regular, but occurs every 1-3 days, although it sweeps 100,000 IPs each time. According to a Shodan search for exposed devices, the eventual number of infected machines could reach 400,000, the researchers claimed.
Most infected devices discovered so far appear to be in India (147,700), followed by China (19,200) and the US (22,300).
The so-called “BCMUPnP_Hunter” botnet is likely to be the work of a fairly sophisticated coder, according to Netlab 360.
“The shellcode has a full length of 432 bytes, very neatly organized and written, some proofs below (We did not find similar code using search engines),” it wrote. “It seems that the author has profound skills and is not a typical script kid.”
UPnP was designed to improve information sharing and connectivity across home and corporate networks, but is often hijacked by hackers to build botnets.