Rapidly Growing Router Botnet Takes Advantage of 5-Year-Old Flaw

A fresh botnet is spreading across the landscape, targeting router equipment. So far, hundreds of thousands of bot endpoints have already been identified, and they’re apparently being marshaled to send out massive amounts of spam.

The botnet first emerged in September, according to 360Netlab telemetry, which dubbed it BCMUPnP_Hunter. It’s so-named because of its penchant for infecting routers that have the BroadCom Universal Plug and Play (UPnP) feature enabled. The botnet takes advantage of a known vulnerability in that feature, which was discovered in 2013.

Multilayered Proxy Architecture

BCMUPnP_Hunter is essentially a self-built proxy network, according to researchers, which initially looks like it’s being used to push out spam from web mail sources. The team said that the malware is well-written, and that it “seems that the author has profound skills and is not a typical script kid.”

The firm’s honeypot first detected multiple scan spikes on TCP port 5431; from there, it became clear that the chain of infection relies on multiple proxies.

“The interaction between the botnet and the potential target takes multiple steps, it starts with TCP port 5431 destination scan, then moving on to check target’s UDP port 1900 and wait for the target to send the proper vulnerable URL,” the team explained. “After getting the proper URL, it takes another four packet exchanges for the attacker to figure out where the shellcode’s execution start address in memory is, so a right exploit payload can be crafted and fed to the target.”

The sample of the botnet consists of two parts, the shellcode and a main payload. The latter includes a probe for the BroadCom UPnP vulnerability, and a proxy access network module.

On a more granular level, it executes a series of commands from the command-and-control server (C2). First, it scans ports for potential targets, and if found, the target IPs will be reported to a loader, which will then complete the subsequent infection process.

For the proxy service, the bot accesses the address provided and reports the access result to the C2.

“This can generate real economic benefits. Attackers can use this command to build a proxy network, and then profit from doing things such as sending spam, simulating clicks, and so on,” researchers said. “The [TCP] proxy currently communicates with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, etc. … We highly suspect that the attacker’s intention is to send spams.”

The BroadCom UPnP Vulnerability

One notable aspect of the botnet is that it’s leveraging a flaw that’s existed for at least five years.

UPnP is a set of networking protocols that lets disparate devices on the same network – like personal computers, printers, internet gateways, Wi-Fi access points and mobile devices – automatically communicate and share information between each other.

In Broadcom’s chip-level implementation of UPnP, used by hundreds of manufacturers, a remote preauth format string vulnerability exists that can be exploited to write arbitrary values to arbitrary memory addresses, and also to remotely read router memory. According to DefenseCode, which found the flaw, successful exploitation allows an unauthenticated attacker to execute arbitrary code with root privileges. Patches have been made available for most models, but millions of unpatched routers remain in the wild, according to DefenseCode.

Growing Threat

In terms of the size of the infection, the telemetry data released Wednesday showed that the botnet is growing rapidly. It performs scans for vulnerable routers every one to three days; and, 360Netlab found there to be 3.37 million unique IP addresses for infected devices in total. However, it’s likely that this number includes a lot of duplicates — addresses for devices whose IP addresses have just changed over time.

In a more realistic tally, the average number of bots doing the scans observed by the company is around 100,000 endpoints; but the number of potential infections may be as many as 400,000 according to a Shodan search, researchers said.

A closer look at the scans show that 116 different types of devices have been infected, including router models from ADB, Broadcom, D-Link, Digicom, Linksys/Cisco, NetComm, UTStarcom, ZyXEL and others.

To protect against botnet infection, users should update their routers to the latest firmware versions.