A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light.

Researchers from Netlab 360, who reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means.

Last week’s report documents 116 different types of devices that make up the botnet from a diverse group of manufacturers. Once under the attackers’ control, the routers connect to a variety of well-known email services. This is a strong indication that the infected devices are being used to send spam or other types of malicious mail.

Universal Plug and Play

UPnP is designed to make it easy for computers, printers, phones, and other devices to connect to local networks using code that lets them automatically discover each other. The protocol often eliminates the hassle of figuring out how to configure devices the first time they’re connected. But UPnP, as researchers have warned for years, often opens up serious holes inside the networks that use it. In some cases, UPnP bugs cause devices to respond to discovery requests sent from outside the network. Hackers can exploit the weakness in a way that allows them to take control of the devices. UPnP weaknesses can also allow hackers to bypass firewall protections.

Source: A 100,000-router botnet is feeding on a 5-year-old UPnP bug in Broadcom chips | Ars Technica