A hacker managed to exploit a five-year-old vulnerability in home routers to create a botnet affecting approximately 100,000 home routers. The botnet was initially discovered in September by researchers from the Netlab team at Qihoo 360, a Chinese internet security company, and it’s likely that the hacker is leveraging this network of compromised routers to send spam emails.
The botnet was built on a 2013 vulnerability on Broadcom’s UPnP SDK. This SDK, which is used on numerous routers, allows an attacker to conduct a remote attack and execute malicious code without requiring any authentication. “It’s the worse kind of vulnerability that exists in the world of Internet-connected devices,” ZDNet reported.
Though this latest botnet, which is known as BCMUPnP_Hunter, isn’t the first to exploit this vulnerability, it is the first to use what appears to be new source code to infect routers. Most Internet of Things botnets today use code that has been leaked online to carry out their attacks, but researchers claim that they have not seen similar code to that used on BCMUPnP_Hunter, suggesting that the hacker is authoring new code for the attack. Prior to BCMUPnP_Hunter, a widely reported Russian malware had infected routers worldwide, prompting the FBI to issue a warning to consumers to reset their routers.
In carrying out the attack, Netlab security researcher Hui Wang said in a blog post that the bot “has to go through multiple steps to infect a potential target.”
A proxy is able to communicate with popular mail servers, such as Outlook, Hotmail, and Yahoo! Mail. Because of this, Wang’s team believes that the attacker is using the botnet to send out spam. Additionally, the number of affected routers has steadily grown in the past few months, with a potential to infect 400,000 routers. “Altogether,we have 3.37 million unique scan source IPs,” Wang said. “It is a big number, but it is likely that the IPs of the same infected devices just changed over time.”
BCMUPnP_Hunter affects routers worldwide with Broadcom’s UPnP feature enabled, but India, China, and the U.S. are among the largest targets. A fix hasn’t been reported yet to combat this latest botnet infection.