UPnP-Exploiting Botnet Infecting 100,000+ Home Routers and Still Counting

Security experts for a long time have warned users to turn-off UPnP (Universal Plug and Play) on their home modem/routers, to close the security vulnerability inherent in the UPnP protocol. However, UPnP is turned-on by default on all consumer routers is the longtime trend, and it is not expected for a reversal of policies anytime soon. Because of what? The correct term is Convenience.

With UPnP turned-on, game consoles like Xbox and the Playstation automatically connect itself to their respective motherships (Microsoft and Sony servers, respectively) without the user doing any manual configuration such as IP port forwarding. However, this kind of convenience has a huge setback; this also makes the job of a cybercriminal easier.

In a not surprising blog, it turns out that NetLab has discovered that a botnet currently referred to by NetLab as “BCMUPnP_Hunter” has been expanding itself rapidly, making vulnerable home routers with UPnP enabled as zombie machines for sending spam emails.

“Since September 2018, 360Netlab Scanmon has detected multiple scan spikes on TCP port 5431, each time the system logged more than 100k scan sources, a pretty large number compared with most other botnets we have covered before. The interaction between the botnet and the potential target takes multiple steps, it starts with tcp port 5431 destination scan, then moving on to check target’s UDP port 1900 and wait for the target to send the proper vulnerable URL. The target of infection is mainly router equipment with BroadCom UPnP feature enabled,” explained Hui Wang and RootKiter, the co-authors of a NetLab blog entry.

At the time of this writing, NetLab estimates that the botnet is composed of 100,000 zombie routers and continue to grow as the Broadcom wifi chip is very widespread across many wireless routers in the market and in the wild. All home router manufacturers turn-on UPnP by default, first to make their customers happy, lessening any possible support calls and also enable quick installation of 3rd party devices such as consoles as mentioned above.

NetLab has detected at least 3.37 million public IPs scanned by the botnet looking for a broadcom-based router.
The scan covers almost the whole world except Japan, Mongolia, Greenland, Papua New Guinea and central parts of Africa.

“0x01010101 to enable the port scan task, once the BOT IDs a potential target, the target IP will be reported to the Loader, and then the Loader will complete the subsequent infection process. 0x03030303 is for the proxy service, BOT accesses the address provided in the instruction and reports the access result to the C2. This can generate real economic benefits. Attackers can use this command to build a proxy network, and then profit from doing things such as sending spam, simulating clicks, and so on,” continued Wang and RootKiter.

It is highly recommended entering the router page’s administrative settings to disable UPnP, it is often done by visiting 192.168.0.1 or 192.168.1.1 and using the default admin password. Navigate to the router settings page, and uncheck the use of UPnP. XBox and Playstation consoles have documented instruction how to enable manual port forwarding in order for them to still work in a network with a disabled UPnP router.