IoT botnet infects 100,000 routers to send spam

A new botnet has infected approximately 100,000 routers, connecting them to webmail services and probably sending large-scale spam campaigns via email. The botnet has grown in silence over the past two months, reports ZDNet.

The botnet was discovered in September by the Netlab team at Qihoo 360. The network exploits a known vulnerability of five years old to spread. This vulnerability was discovered by DefenseCode security researchers in 2013 and is contained in the Broadcom UPnP SDK, a piece of software that is included in thousands of router models from various manufacturers.

This vulnerability allows an attacker to execute malicious code on a vulnerable remote router without authentication. Several botnets abused the vulnerability in the past. The new botnet that does this got the nickname BCMUPnP_Hunter from Netlab.

100,000 infected routers

Chinese researchers say they have seen botnet scans starting at 3.37 million IP addresses in the last two months, but the number of daily active devices is often around 100,000. The victims are all over the world, but most of the infected routers are in India, China and the United States.

The botnet is also different from most IoT botnets that are active. Most of these botnets use source code that has been leaked online. However, the new botnet does not do this. “We didn’t find a comparable code through search engines,” says Hui Wang, one of the two Netlab researchers who analysed the source of the botnet. “It seems that the creator has good skills and is not a typical script kid.”

According to Hui, all IP addresses that the botnet has connected to are the property of webmail services such as Yahoo, Outlook and Hotmail. All connections were made via TCP port 25, ensuring researchers that botnet administrators are secretly sending out spam waves from behind the infected routers.