A 100,000-router botnet is feeding on a 5-year-old UPnP bug in Broadcom chips

[nir]

At least 116 different router models are infected by unusually well-written malware.

 

A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light.

 

Researchers from Netlab 360, who reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means.

 

Last week's report documents 116 different types of devices that make up the botnet from a diverse group of manufacturers. Once under the attackers' control, the routers connect to a variety of well-known email services. This is a strong indication that the infected devices are being used to send spam or other types of malicious mail.

Universal Plug and Play

UPnP is designed to make it easy for computers, printers, phones, and other devices to connect to local networks using code that lets them automatically discover each other. The protocol often eliminates the hassle of figuring out how to configure devices the first time they're connected. But UPnP, as researchers have warned for years, often opens up serious holes inside the networks that use it. In some cases, UPnP bugs cause devices to respond to discovery requests sent from outside the network. Hackers can exploit the weakness in a way that allows them to take control of the devices. UPnP weaknesses can also allow hackers to bypass firewall protections.

 

According to Netlab 360, the code that infects devices with BCMUPnP_Hunter requires a variety of steps that made tracking its progress a challenge. As last week's post explained:

The interaction between the botnet and the potential target takes multiple steps; it starts with tcp port 5431 destination scan, then moving on to check target's UDP port 1900 and wait[ing] for the target to send the proper vulnerable URL. After getting the proper URL, it takes another 4 packet exchanges for the attacker to figure out where the shellcode's execution start address in memory is so a right exploit payload can be crafted and fed to the target.

 

At the beginning we were not able to capture a valid sample, as the honeypot needs to be able to simulate the above scenarios. We had to tweak and customize our honeypot quite a few times, then finally in October, we got it right and successfully tricked the botnet to send us the sample (we call it BCMUPnP_Hunter).

 

Enlarge / BCMUPnP_Hunter Infection process.

Netlab 360

Once infected, devices proxy traffic to more than a dozen well-known mail services, including Outlook, Hotmail, and Yahoo Mail. The developer of the shellcode used in the first stage of the infection process "has profound skills and is not a typical script kid," the post said.

 

The main sample that's downloaded by the shellcode includes a Broadcom UPnP vulnerability probe and a proxy access network module so infected devices can parse instruction codes sent from command servers.

 

People who use any of the 116 models listed by Netlab 360 should immediately check to see if a patch is available. In the event no fix is available, the vulnerable device should be replaced. People using any make of router should strongly consider disabling UPnP unless there is a strong benefit to having it enabled and users are willing to take responsibility for the increased attack surface it creates. It's not clear how routers infected with BCMUPnP_Hunter can be disinfected. Usually, simply rebooting a compromised router is enough. This post will be updated if we get more clarity on this matter.

 

Source