A 100,000-Router Botnet Is Feeding On a 5-Year-Old UPnP Bug In Broadcom Chips

An anonymous reader quotes a report from Ars Technica: A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light. Researchers from Netlab 360, who reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means. Last week's report documents 116 different types of devices that make up the botnet from a diverse group of manufacturers. Once under the attackers' control, the routers connect to a variety of well-known email services. This is a strong indication that the infected devices are being used to send spam or other types of malicious mail.

Re:Is mine one of them?

[ledow]

A) Do you have UPnP enabled.
B) If yes, turn it off.

UPnP is an *UTTERLY UNNECESSARY* service (speaking as an IT Manager, gamer, and someone who hosts gaming servers etc.), that when exposed to the Internet allows ANY local device to forward ANY network port to ANY IP/port combination with NO authentication whatsoever.

Even privileged ports and local ports.

I can literally redirect your port 139 (e.g. CIFS/SMB) to a host on the Internet if I wanted, or open command/control ports and punch holes through your firewall wherever I want.

All this is is a UPnP flaw that allows you to do the same remotely, but literally any device on your local network can already do it without any logs, authentication, or notification that they are doing so (e.g. your ChromeCast / laptop / Amazon Echo / Nest doorbell could be opening up your telnet port and sending it to themselves once every hour, and you'd pretty much never know anything about it).

Turn it off. Watch how nothing changes and all your systems still work as intended.

And, if you absolutely, 100% must host servers on your own connection (not just "play games" but literally host servers with no matchmaking servers present) then you add a single port-forward yourself and job-done.

P.S. No, this does not affect local device discovery, etc. so your Chromecast etc. will still work perfectly fine on your home network anyway.

Case in point: I've never had UPnP turned on on anything, I have 1000 Steam games that play just fine, plus ChromeCasts and all kinds of kit. Not a single problem.