NetLab360 discovers a a new 100k botnet that is targeting router equipment worldwide: it’s dubbed BCMUPnP_Hunter

A new 100k botnet is targeting router equipment worldwide: it’s dubbed BCMUPnP_Hunter. It has been discovere by NetLab 360 cyber security experts, who named it because of its penchant for infecting routers that have the BroadCom Universal Plug and Play (UPnP) feature enabled. It  takes advantage of a known vulnerability in that feature, which was discovered in 2013. So far, hundreds of thousands of bot endpoints have already been identified, and tapparently being marshaled to send out massive amounts of spam. The botnet first emerged in September. It’s essentially a self-built proxy network, according to researchers, which initially looks like it’s being used to push out spam from web mail sources. The team said that the malware is well-written, and that it “seems that the author has profound skills and is not a typical script kid.”

How works the botnet chain of infection to spread spam

“The interaction between the botnet and the potential target takes multiple steps, it starts with tcp port 5431 destination scan, then moving on to check target’s UDP port 1900 and wait for the target to send the proper vulnerable URL,” explained NetLab 360. After getting it, “it takes another 4 packet exchanges for the attacker to figure out where the shellcode’s execution start address in memory is so a right exploit payload can be crafted and fed to the target”. The BCMUPnP_Hunter botnet has the following characteristics: the amount of infection is very large, the number of active scanning IP in each scan event is about 100,000; the target of infection is mainly router equipment with BroadCom UPnP feature enabled; the proxy communicates with mail servers such as Outlook, Hotmail, Yahoo! Mail, etc. “We highly suspect, – the cyber security experts underline “that the attacker’s intention is to send spams”.

The NetLab360 complete post on the cyber threat