Security Architecture, Application security, Application security, Endpoint/Device Security, IoT, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

IoT botnet BCMUPnP_Hunter targets routers with vulnerable UPnP feature

A large-scale botnet malware operation has been targeting router equipment running vulnerable versions of the Broadcom Universal Plug and Play (UPnP) feature. Active since at least September 2018, malicious campaign appears to be infecting devices for the likely purpose of converting them into spam bots, according to a blog post yesterday from researchers at Qihoo’s Netlab 360.

Over the last 30 days, the botnet has been scanning for susceptible equipment via TCP port 5431 every one-to-three days, with each cycle leveraging around 100,000 IPs from apparently hijacked routers to do its bidding. Researchers have identified a minimum of 116 different models of router devices targeted by the malware, dubbed BCMUPnP_Hunter, and believe the number of potential infections could reach 400,000.

“All together we have 3.37 million unique scan source IPs. It is a big number, but it is likely that the IPs of the same infected devices just changed over time,” explained researchers and blog authors Hui Wang and RootKiter.

The complex infection process begins with a shellcode component that downloads and executes the primary payload from a malicious command-and-control server. Researchers say the first-stage code is expertly written and apparently original.

The main payload specifically looks for a five-year-old, critical format string vulnerability in UPnP -- a network protocol that allows multiple network devices to discover and interact with each other. (The vulnerability was originally discovered in October 2013 but not disclosed until 2017.)

The main payload also builds a proxy network that communicates with servers belonging to email platform providers Outlook, Hotmail and Yahoo! Mail. Based on this observation, "We highly suspect that the attacker's intention is to send spams," the researchers have concluded.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.