back to article Spammer scum hack 100,000 home routers via UPnP vulns to craft email-flinging botnet

Once again, a hundred thousand or more home routers have been press-ganged into a spam-spewing botnet, this time via Universal Plug and Play (UPnP). According to brainiacs from 360 Netlab, the malware exploits vulnerabilities in a Broadcom UPnP implementation to infect vulnerable gateways, and that means a load of router …

  1. Chronos Silver badge

    Took longer than I expected

    I've been saying for years that shipping routers with universal probe'n'pwn enabled by default is going to end in tears. That it's only a spambot, easily mitigated by using RBL dynamic allocation pool lookups, is really surprising given the scope for mischief.

    1. Anonymous Coward
      Anonymous Coward

      Re: Took longer than I expected

      I've been watching the logs on our mail server and the login attempts went up to about 100/hour recently, it's dropped back now but probes on the firewall WAN sides have been steadily rising all year. Oddly enough (or maybe not) there's an inverse relationship between login attempts (they all fail) and the number of "new sale ordeer.txt.vbs" (sic) files that arrive every day.

      It's a wild world out there.

  2. Kenny Millar

    Don't disable UPnP, at least not on the private side of the router - you need it for streaming audio etc, wireless speakers and so on.

    1. Lee D Silver badge


      UPnP allows ANY network device to request ANY network port on ANY external connection be forwarded to ANY internal IP/port combination, with NO AUTHENTICATION. Not one vendor has properly implemented authentication.

      Turn that crap off, on all your networks, because even just "internally" it's not safe, and not necessary.

      P.S. I have 1000 Steam games, a Chromecast, and all kinds of kit and none of it complains one iota about not having UPnP enabled.

      1. Lee D Silver badge

        P.P.S. and turning off UPnP on your router will NOT stop local devices discovering each other via it.

        Just turn it off, because having it enabled on any router will basically give all devices a free port-forward of their choice.

        1. Baldrickk Silver badge

          The only problem being

          various tools that do some measure of hosting content that expect UPnP to be enabled - games that do peer to peer/self hosting multiplayer that don't readily provide which ports need to be exposed.

          Not that you can't find out, but the hassle is likely enough to get a semi-tech-literate gamer to turn it back on, or someone using a peer to peer voip app etc.

    2. Joe Drunk

      Don't disable UPnP, at least not on the private side of the router - you need it for streaming audio etc, wireless speakers and so on.

      UPnP is really nothing more than auto port-forwarding. All your gadgets that require outside access will still work by MANUALLY enabling port forwarding rules in your router. More work, more secure however since UPnP has long been a risk.

      Easy enough for any long-time Reg reader. What am I supposed to do for friends/family? Everytime they buy a new IoT/download a new console game I have to do a service call and spend a few hours there. Have you ever tried to glean IP/PORT info for some IoT or console games?

      1. Baldrickk Silver badge

        @Joe - we basically said the same thing in our posts - how come I was exclusively downvoted by about the same magnitude as you were exclusively upvoted?

    3. Anonymous Coward
      Anonymous Coward

      Just connect your wireless speakers with a wire, that will negate the need for UPNP.

      I just felt like adding to your comment as we are both clearly talking rubbish.

      1. Lee D Silver badge

        Friend bought round XBox 360. It worked. No UPnP.

        I have 1000 games on my Steam account. They all work. Online.

        Skype, Whatsapp, hundreds of apps, phones, other people's consoles on games nights, you name it. They all work.

        You only EVER *NEED* a port-forward if you are HOSTING content. You do not need it to game, join servers, browse servers or anything else. All major consoles have matchmaking services that can handle that side for you, no port-forwards required. And that's because only when you are actually being a server should you be punching holes in your firewall to let others in (rather than talking to a matchmaking server, or talking over an ESTABLISHED connection to another person which is what matchmaking servers set up for you).

        Seriously. Turn UPnP off now. Play any game you like. See what happens. At absolute worst, XBox even has a term for it that shows up in the settings that nobody ever looks at... it basically means "you're behind a NAT, so I'll use a matchmaking service that knows that".

        UPnP has several functions - one discovers things over the local network using local broadcast/multicast addresses. That's fine, and is on the client. One tells the local network that there is indeed a way to get to the Internet. That's fine, but often runs on the router and is entirely unnecessary on any modern operating system. Some advanced routers (e.g. Draytek) will have an option to leave that on, if you like. It's called "Connectivity Status". The other thing UPnP does is the port-forward thing. Every client asks for port-forwards. If your router grants them, this is by far not the first security problem with that. If you turn them off, the clients carry on regardless. Even weird stuff like videoconferencing, Steam matchmaking etc.

        Before you start spreading nonsense saying that you "have to have UPnP", turn it off and see what happens. It's literally one click on your router.

        Then tell me why you would ever want that functionality enabled on, say, a corporate network either, and why they turn it off from day one, and who's likely to be the biggest user of things like port-forwards and SIP / H232 / etc. protocols that all "need" that... yet it all works without UPnP.

        Honestly, just try it. Nobody is even suggesting you have to ditch your local wireless devices, because they can use mDNS and UPnP etc. discovery over your local network, and connect to the Internet to do everything they need, without EVER HAVING to use it to punch as many holes in your firewall as they like.

        TURN OFF UPNP ON YOUR ROUTER. Seriously. Not your clients, they can do what they like, because they can't punch holes in your security without the router's assistance and will just discover each other and work around it. And if you *didn't* know this, you really need to think why you're on an IT forum.

        1. sabroni Silver badge
          Thumb Up

          re: And if you *didn't* know this, you really need to think why you're on an IT forum.

          Not knowing this is exactly why I'm on an IT forum!

        2. Anonymous Coward
          Anonymous Coward

          Fantasy Grounds

          UPnP is required for the popular roleplaying game platform Fantasy Grounds, if you are the GM, which I am for our group.

    4. Chronos Silver badge

      Don't disable UPnP, at least not on the private side of the router - you need it for streaming audio etc, wireless speakers and so on.

      Oh dear. I suspect you're confusing it with DLNA, which is often called uPNP by people who really should know better. The universal probe'n'pwn we (the grown ups) are talking about is the protocol that allows any old munchkin's half-arsed application to poke holes in your firewall/NAPT.

      Icon says it all.

    5. bombastic bob Silver badge
      Thumb Down

      "Don't disable UPnP, at least not on the private side of the router - you need it for streaming audio etc, wireless speakers and so on."

      FUD. You do NOT know what you are talking about!

      You do _NOT_ need UPnP on a router. The only thing it does is OFFER! UP! A! SECURITY! CRATER! to _ANY_ process on the LAN side by ENABLING! A! LISTENING! PORT! on the public IP address... you know, like a COMMAND AND CONTROL PORT for MALWARE!!

      UPnP is bad. Disable the @#$%'ing thing. Just like the article says at the end.

    6. Androgynous Cow Herd


      *YOU * apparently need it for streaming, etc.

      I actually understand how TCP/IP works and don't need it at all.

      At the very worst, there is this thing called nmap that will tell me everything I need to know about any device on my network.

    7. Fungus Bob Silver badge

      Re: wireless speakers

      Proper speakers have wires.

  3. Ramis101

    Disabling UPnP completely isn't such a bad idea

    Did that when it 1st came out. haven't looked back..... or needed it either

    1. Chronos Silver badge

      Re: Disabling UPnP completely isn't such a bad idea

      Quite. I've removed miniupnpd from my OpenWRT builds and exactly nobody has complained.

    2. bombastic bob Silver badge
      Thumb Up

      Re: Disabling UPnP completely isn't such a bad idea

      I did that, too, when I realized it was on the router [and had done so already on the winders boxen]. "HOLY $#!+ BALLS I better turn that off!". I did look for it, though... after having read all of the security warnings about it on El Reg and elsewhere.

  4. Anonymous Coward
    Anonymous Coward

    ISP-branded router - patch? What patch?

    I had a modem-router-wireless router that was supplied and (theoretically) supported by CenturyLink for over 5 years. In that time, there were exactly 0 firmware updates. Actual manufacturer wouldn't touch or discuss it (all responsibility for support is on ISP), and the ISP has no reason to bother creating updates.

    I'm now using one I purchased myself, which (last I checked) also didn't have any firmware updates, but at least it has way more features, and wasn't particularly expensive. Definitely hunting down UPnP and verifying it's off, though.

    1. bombastic bob Silver badge

      Re: ISP-branded router - patch? What patch?

      if the router has 'bridge mode' for the internet connection [assuming it's DSL or similar] you can (most likely) manage it with a Linux or FreeBSD box instead. works for me! Haven't tried it with cable, though.

      1. Anonymous Coward
        Anonymous Coward

        Re: ISP-branded router - patch? What patch?

        Oh, I can get into the router and configure it all I want. (Old and new router.) But there haven't been any firmware updates to patch security holes... ever. Kind of hard to patch without a patch.

    2. Slarti Bartfast

      Re: ISP-branded router - patch? What patch?

      Same here. Four year old Technicolor router. They released one firmware update six months after the router was shipped, since then nothing. When I log in to the admin interface on the router there is a helpful "Update Firmware" button. I click it and it asks me to browse to the firmware update file on my PC. Is it beyond the wit of domestic router manufacturers to provide a firmware update facility over https? I suppose if they aren't planning on producing any updates what would be the point.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019