Botnet pwns 100,000 routers using ancient security flaw

Researchers have stumbled on another large botnet that’s been quietly hijacking home routers while nobody was paying attention.
This one’s been named BCMUPnP_Hunter by discoverers Qihoo 360 Netlab, which says it’s infected at least 100,000 routers in the US, India and China since September.
The BCM part of that name refers to a security flaw affecting a Broadcom router software interface that was first made public in February 2013 by DefenseCode.
The UPnP, of course, is Universal Plug and Play, a longstanding and widely abused networking protocol designed to make it easy for devices to talk to one another without the need for complicated configuration.
We’ll skip the sermon about turning that off if you don’t need it (it’s not the only risky router interface that deserves this treatment after all), and merely note that Qihoo’s use of ‘Hunter’ at the tail end of this bot’s name is a warning.
BCMUPnP_Hunter feels like a despairing story for at least two reasons; the first being the range of products it affects.
The botnet covers 116 devices, including models from Billion, D-Link, Cisco Linksys (now Belkin), TP-Link, Zyxel, Broadcom itself, and several others.
The second is the age of the vulnerability, which doesn’t seem to have much reduced the number of at-risk routers even though it was quickly patched by the first vendor affected, Cisco Linksys, years ago.
It’s likely not all of the other vendors followed suit, and even when a patch was available, the infection numbers indicate that many router owners never applied it.
DefenseCode made this point in its 2017 follow-up research, but Qihoo 360 Netlab’s Shodan research estimates the number of at-risk routers at 400,000.
BCMUPnP_Hunter finds its prey by scanning for vulnerable UPnP on TCP port 5431, followed by UDP port 1900 used by Broadcom’s implementation.
The flaw is a relatively complicated, multi-stage affair that seems to have been written specially for the job, at the end of which the router is used to proxy traffic to mail systems such as Outlook, Hotmail, and Yahoo. The likely purpose: sending spam.

Botnet hell

Botnets are a way to steal someone else’s computing resources and distribute traffic across lots of ISP networks in a way that makes its activity harder to shut down than if it were coming out of a small group of servers.
Botnets could aim at other types of computer, but routers have properties that tick important boxes:

• There are lots of them
• They are always connected
• They have lots of security vulnerabilities
• Many owners pay them little heed
• Many are never patched.

It’s why router compromises have been a running theme on Naked Security for years and still keep coming.
This includes last summer’s VPNFilter botnet affecting dozens of vendors and half a million devices.
Or US-CERT’s warning that a Russian group called Grizzly Steppe was going after a range of network devices, including higher-end routers.
As for older routers that might never be patched, a sequence of problems with D-Link models underscores this theme.

What to do

Whether you own a router likely to be targeted by this threat or not, making sure your home router was updated recently should be a priority.
If it hasn’t been, look for an update on the vendor’s support page. If an update isn’t available, consider buying a new router from a vendor with a track record of updating its firmware on a regular basis, ideally every couple of months.
You can tell which vendors are good at that by visiting their support page and counting the number of recent updates for popular products.
In the past, these would have been few and far between but these days the best vendors take this issue seriously.
When you unbox your router, be sure to disable every interface you don’t plan to use, starting with UPnP before moving on to WPS, WAN web access, DMZ, port triggers/forwarding, and FTP.
Naturally, make sure you change the router’s default username and password, and the WPA2 Wi-Fi password, to something stronger.