BCMUPnP_Hunter IoT Botnet infects 100k routers worldwide, sends spam

The malware exploits a vulnerability in the UPnP-enabled devices

The new botnet, dubbed BCMUPnP_Hunter, infected more than 100k devices by exploiting BroadCom's UPnP vulnerability

Security experts from Netlab 360 reported^[1] on Wednesday that a sophisticated botnet has been detected. They logged up to 100,000 scan sources coming from TCP port 5431 and UDP port 1900. The malware, dubbed BCMUPnP_Hunter, abuses a five-year-old vulnerability in BroadCom's UPnP^[2] (Universal Plug and Play) to spread.

The flaw was discovered in 2013 by DefenseCode researchers^[3] and is well known in the cybersecurity world. UPnP SDK was used in millions of router devices manufactured by differed vendors all across the globe. The brands include Linksys, D-Link, TP-Link, ZTE, NetComm, among which Netlab 360 experts listed 116 models.

The botnet uses a self-built proxy network^[4] that actively communicates with the most popular email providers like Outlook, Yahoo!, Hotmail, and many others. Researchers speculate that the connections are used to send out spam.

The infected devices are spread all over the world, but the most affected countries include India (147.7k), the USA (22.3k) and China totaling with 19.2k unique IP addresses. Netlab 360 experts also reported that the number of infections might reach 400,000 in the near future.

The operation of BCMUPnP_Hunter

The infection process is multi-stage and quite complex, as explained by Hui Wang and RootKiter at Netlab 306:

The interaction between the botnet and the potential target takes multiple steps, it starts with tcp port 5431 destination scan, then moving on to check target’s UDP port 1900 and wait for the target to send the proper vulnerable URL. After getting the proper URL, it takes another 4 packet exchanges for the attacker to figure out where the shellcode's execution start address in memory is so a right exploit payload can be crafted and fed to the target.

As soon as the scanner locates a device that uses BroadCom-produced chipset with UPnP feature on, the malware instructs the C2 server at 109[.]248[.]9[.]17:8738, controlled by cybercriminals, to exploit bugs of the device and infect the gateway. The router is then scanned to obtain memory layout of the system and then seized by using the data gathered by the exploit.

After that, BCMUPnP_Hunter contacts 14 different IP addresses that are linked to the aforementioned email providers over TCP port 25.

Malware uses an old vulnerability – still proves effective

According to the report, BCMUPnP_Hunter is a work of sophisticated coders and not wannabees:

The shellcode has a full length of 432 bytes, very neatly organized and written, some proofs below (We did not find similar code using search engines). It seems that the author has profound skills and is not a typical script kid:

• Code basic: The code has multiple syscall calls for networks, processes, files, etc.
• Some details: syscall 0x40404(instead of syscall 0) and multiple inversion operations were used so bad characters (\\x00) could be avoided; the stack variables in the code also have different degrees of multiplexing to optimize the runtime stack structure;
• Code logic: by calling the Loop at various section, the possibility of many failed calls is reasonably avoided, and the validity of shellcode execution is guaranteed.

It is not the first time IoT vulnerabilities are used to turn them into spam-spewing proxy servers.^[5] Additionally, while the vulnerability exploited in this case is five years old, it yet again proves that many devices are still susceptible to the infections, despite patches being released.

To avoid malware infection, make sure you update your IoT devices with the latest software patch or install the newest firmware. Additionally, disabling UPnP can also save you from BCMUPnP_Hunter-type infections.