360Netlab notes that this is the highest activity compared to other previously studied botnets.
The interaction between the botnet and the “victim” took place in several stages (see figure below). First, TCP port 5431 was scanned. Then, UDP port 1900 was checked—a specific sequence was sent to it, waiting for a vulnerable URL provided by the device in response. After receiving the vulnerable link, four more sessions with the device took place to determine the entry point for running shell code in the device’s memory. As a result, the device was turned into a bot that performed the tasks of the primary botnet.
Looking ahead, we should note that ports 5431 and 1900 were not chosen at random, as the UPnP service usually runs on these ports. This means that this service, which is enabled by default on most devices, has a vulnerability. We will look at the list of devices later.
For a long time, experts were unable to detect this problem. The problem boiled down to getting the honeypot (a resource that acts as bait for attackers) to mimic a device in the scenario described above. It was only in October 2018, after a long configuration process, that they succeeded in doing so and successfully tricked the botnet. The project was named BCMUPnP_Hunter.
Further research showed that the botnet has the following characteristics:
- The number of infections is very high, with approximately 100,000 active scanning IP addresses in each event.
- The target of the infection is mainly router equipment with the BroadCom UPnP function enabled.
- The attacker’s server sends emails through this botnet, which is essentially a proxy server. Currently, requests to well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, etc. are being recorded. Researchers believe that the attackers’ goal is to send spam.
The frequency and number of scanning nodes can be seen in the graph below.
As can be seen, activity increases every 1-3 days and in some cases reaches 100,000 nodes. The total number of attacking nodes is about 3.34 million, but it should not be ruled out that the same devices may have different IP addresses.
The geographical location of the sniffers is shown on the map.
India leads the way with 147,700 nodes, followed by the US and China.
The list of vulnerable devices includes many popular brands such as Cisco, Zyxel, D-Link, Eltex, and TP-Link. In total, there are about 116 devices, but researchers note that this number may be higher. The full list is provided below.
The consequences are obvious: 100% of the provider’s IP addresses are blacklisted by anti-spam services.
It is interesting to note that a large proportion of vulnerable devices are ADSL routers. This is probably a coincidence, but it should not be forgotten that xDSL is still used in many developing countries with large populations.
Stingray provides protection against DDoS attacks, and the new version features a mini-Firewall function, which we will describe in detail in our blog soon. For more detailed information about the advantages of the platform, its effective use in telecommunications networks, as well as migration from other platforms and integration with other systems, please contact the specialists at VAS Experts, the developer and supplier of the Stingray Service Gateway traffic analysis system.
Complete list of vulnerable devices
ADB Broadband S.p.A, HomeStation ADSL Router
ADB Broadband, ADB ADSL Router
ADBB, ADB ADSL Router
ALSiTEC, Broadcom ADSL Router
ASB, ADSL Router
ASB, ChinaNet EPON Router
ASB, ChinaTelecom E8C(EPON) Gateway
Actiontec, Actiontec GT784WN
Actiontec, Verizon ADSL Router
BEC Technologies Inc., Broadcom ADSL Router
Best IT World India Pvt. Ltd., 150M Wireless-N ADSL2+ Router
Best IT World India Pvt. Ltd., iB-WRA300N
Billion Electric Co., Ltd., ADSL2+ Firewall Router
Billion Electric Co., Ltd., BiPAC 7800NXL
Billion, BiPAC 7700N
Billion, BiPAC 7700N R2
Binatone Telecommunication, Broadcom LAN Router
Broadcom, ADSL Router
Broadcom, ADSL2+ 11n WiFi CPE
Broadcom, Broadcom Router
Broadcom, Broadcom ADSL Router
Broadcom, D-Link DSL-2640B
Broadcom, D-link ADSL Router
Broadcom, DLink ADSL Router
ClearAccess, Broadcom ADSL Router
Comtrend, AR-5383n
Comtrend, Broadcom ADSL Router
Comtrend, Comtrend single-chip ADSL router
D-Link Corporation., D-Link DSL-2640B
D-Link Corporation., D-Link DSL-2641B
D-Link Corporation., D-Link DSL-2740B
D-Link Corporation., D-Link DSL-2750B
D-Link Corporation., D-LinkDSL-2640B
D-Link Corporation., D-LinkDSL-2641B
D-Link Corporation., D-LinkDSL-2741B
D-Link Corporation., DSL-2640B
D-Link, ADSL 4*FE 11n Router
D-Link, D-Link ADSL Router
D-Link, D-Link DSL-2640U
D-Link, D-Link DSL-2730B
D-Link, D-Link DSL-2730U
D-Link, D-Link DSL-2750B
D-Link, D-Link DSL-2750U
D-Link, D-Link DSL-6751
D-Link, D-Link DSL2750U
D-Link, D-Link Router
D-Link, D-link ADSL Router
D-Link, DVA-G3672B-LTT Networks ADSL Router
DARE, Dare router
DLink, D-Link DSL-2730B
DLink, D-Link VDSL Router
DLink, DLink ADSL Router
DQ Technology, Inc., ADSL2+ 11n WiFi CPE
DQ Technology, Inc., Broadcom ADSL Router
DSL, ADSL Router
DareGlobal, D-Link ADSL Router
Digicom S.p.A., ADSL Wireless Modem/Router
Digicom S.p.A., RAW300C-T03
Dlink, D-Link DSL-225
Eltex, Broadcom ADSL Router
FiberHome, Broadcom ADSL Router
GWD, ChinaTelecom E8C(EPON) Gateway
Genew, Broadcom ADSL Router
INTEX, W150D
INTEX, W300D
INTEX, Wireless N 150 ADSL2+ Modem Router
INTEX, Wireless N 300 ADSL2+ Modem Router
ITI Ltd., ITI Ltd.ADSL2Plus Modem/Router
Inteno, Broadcom ADSL Router
Intercross, Broadcom ADSL Router
IskraTEL, Broadcom ADSL Router
Kasda, Broadcom ADSL Router
Link-One, Modem Roteador Wireless N ADSL2+ 150 Mbps
Linksys, Cisco X1000
Linksys, Cisco X3500
NB, DSL-2740B
NetComm Wireless Limited, NetComm ADSL2+ Wireless Router
NetComm, NetComm ADSL2+ Wireless Router
NetComm, NetComm WiFi Data and VoIP Gateway
OPTICOM, DSLink 279
Opticom, DSLink 485
Orcon, Genius
QTECH, QTECH
Raisecom, Broadcom ADSL Router
Ramptel, 300Mbps ADSL Wireless-N Router
Router, ADSL2+ Router
SCTY, TYKH PON Router
Star-Net, Broadcom ADSL Router
Starbridge Networks, Broadcom ADSL Router
TP-LINK Technologies Co., Ltd, 300Mbps Wireless N ADSL2+ Modem Router
TP-LINK Technologies Co., Ltd, 300Mbps Wireless N USB ADSL2+ Modem Router
TP-LINK, TP-LINK Wireless ADSL2+ Modem Router
TP-LINK, TP-LINK Wireless ADSL2+ Router
Technicolor, CenturyLink TR-064 v4.0
Tenda, Tenda ADSL2+ WIFI MODEM
Tenda, Tenda ADSL2+ WIFI Router
Tenda, Tenda Gateway
Tenda/Imex, ADSL2+ WIFI-MODEM WITH 3G/4G USB PORT
Tenda/Imex, ADSL2+ WIFI-MODEM WITH EVO SUPPORT
UTStarcom Inc., UTStarcom ADSL2+ Modem Router
UTStarcom Inc., UTStarcom ADSL2+ Modem/Wireless Router
UniqueNet Solutions, WLAN N300 ADSL2+ Modem Router
ZTE, Broadcom ADSL Router
ZTE, ONU Router
ZYXEL, ZyXEL VDSL Router
Zhone, Broadcom ADSL Router
Zhone, Zhone Wireless Gateway
Zoom, Zoom Adsl Modem/Router
ZyXEL, CenturyLink UPnP v1.0
ZyXEL, P-660HN-51
ZyXEL, ZyXEL xDSL Router
huaqin, HGU210 v3 Router
iBall Baton, iBall Baton 150M Wireless-N ADSL2+ Router
iiNet Limited, BudiiLite
iiNet, BoB2
iiNet, BoBLite
