November 8, 2018 at
Over a hundred thousand home routers may have been press-ganged into a spam-spewing botnet through Universal Plug and Play (UPnP). Reports from 360 Netlab, the vulnerabilities in a Broadcom UPnP implementation to attack vulnerable gateways. This means that some router manufacturers were affected considering the fact that the kit uses such technology. Equipment developed by Billion, Linksys, D-Link, Zyxel, ZTE, TP-Link, and Australian supplier NetComm in addition with some devices supplied under ISP Brands such as Australian ISP iiNet and CenturyLink are among 116 device models recognized as infected by the malware.
In a Wednesday advisory, Hui Wang and someone referring themselves as RootKiter indicated that the hijacked routers were spotted emitting spikes of network traffic to UDP port 1900 and TCP port 5431, used by UPnP and Broadcom. These gateways, infected with botnet malware, were efficiently scanning the internet for other weak devices to attack and infect.
The researchers further indicated that the sweeps are sporadic but large-scale. According to the researcher, “the scan activity picks up every 1-3 days. The number of active scanning IPs in every single event is about 100,000.”
This means that each time about 100,000 commandeered boxes were up and running. When these scans discovered a router with UPnP turned on or powered by Broadcom chipset, an attacker controller server will then be instructed by the malware to exploit the Broadcom bugs immediately and infect the newly discovered gateway with the software nasty. Immediately the malware finds the perfect place it can communicate perfectly with well-known mail servers like Yahoo! Mail, Hotmail, Outlook, and others.
The researchers say a Shodan search for the banner Server: Custom/1.0 UPnP/1.0 Proc/Ver shown over 400,000 potentially dangerous gizmos.
For many years, UPnP has been the target. In 2013, a SANS diary entry briefly explains the port-scans; however, in March this year, SANS reported a similar pattern of the scans, which attracted the attention of 360 Netlab. In its reported, it indicated that
“Have been observing this for about 45 days now (since 02/08/2018). Traffic is very bursty – scanning occurs for just an hour or two and stops, then repeats every 3-4 days or so. I have also noticed an (oddly) fixed source port of port 6/tcp on the scan packets. Not sure of the intent – perhaps looking for Broadcom UPnP? But curious that the scanning starts and stops so abruptly from 10’s of thousands of source IPs. Feels botnet-like, but no evidence to support that.”
Broadcom UPnP flaws were first discovered in 2013 and after many years, most devices remain unpatched in spite of the fixes being developed. This was possible because users didn’t apply the updates or updates weren’t distributed. However, if you are in doubt, installing the latest firmware for your router by be the perfect solution rather than disabling the UPnP completely.