
A 100k Botnet Turns Home Routers to Email Spammers - wglb
https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/
======
jrochkind1
Is there any easy way to check if your router is vulnerable/compromised? Or
instructions for disinfecting it as well as patching it?

Like, based on actually being exploitable or compromised, not firmware
versions or whatever.

I actually suspect mine is compromised, it's been behaving funny for a month
or two, needing to be restarted a lot. (Which, ironically, is a signal of a
_buggy_ compromise, your router of course be compromised and you'd never know
it if the malware was well-behaved enough to stay out of the way of your usual
use).

I can (painfully) update the firmware... but I don't trust that the vendor's
most recent firmware actually solves it. Nor do I trust that once compromised
a firmware update is enough to eliminate the malware.

For such a widespread compromise... we could use more user-friendly (or even
relatively techy but not a network engineer user-friendly) instructions for...
what to do.

I guess the reality is that most (non-techy) users will, if they notice at all
(due to malware that buggily causes things not to work well for intended uses,
instead of staying out of the way), will just decide their equipment is
"broken", throw it out and buy new stuff... that hopefully won't get
compromised again. Which I guess works for the consumer network harder
vendors.

~~~
spudlyo
If I were you I'd check to see if your router can run one of the several open
source firmware packages like OpenWRT, dd-wrt, or Tomato. In my personal
experience the OpenWRT/lede team is on top of security issues, and the router
web interface and tooling is completely fine.

I'd be confident that flashing your device with modern open source firmware
would solve the problem, but if you're paranoid just recycle the device and
get a new one. In any event, I don't see a solution for you that doesn't
involve some homework.

~~~
jrochkind1
In general, I am cautious of running my own open source thing without being an
expert in the relevant area (or interested in becoming one) -- having to put
something together (and maintain it) yourself seldom, in my experience, ends
up _more_ secure or _more_ maintainable, when you don't know what you're
doing.

However, routers may be an exception. Apparently the industry has basically no
business motivation to keep consumer-grade networking hardware secure, at all.
Irrelevant to their profits or reputation.

I'll consider it. When I bought my router I intentionally got one that can run
OpenWRT, but never ended up installing it, cause, who's got time for that? But
perhaps there isn't really an alternative, unless you want a bot-net-ed
router. Which honestly, and with shame, I'd just ignore the botnet sending out
spam to other people if I didn't think it was compromising the functionality
(and security) of my router for me. Last thing I wanna do is spend time
becoming a network engineer after a day of getting paid to write software, but
i guess that's where we're at.

(Oh crap, I just realized it could be my DSL modem instead of or in addition
to my (wired and wifi) router. I know even LESS about that thing. I think none
of these consumer products, owned by people who know a lot less than me, are
ever gonna be protected, if even I am intimidated by trying to figure it out).

~~~
xorcist
You're going to have to upgrade your firmware _anyway_ , so why not upgrade to
something that actually cares about basic functionality?

Some people unused to open source solutions sometimes have this idea that all
software developed by enthusiasts by necessity is hard to use or require
tinkering, but that's not a fair picture. When developers share your
interests, that's when software gets usable. That interest might not always be
UI, but sometimes it is.

OpenWRT (and friends!) is clearly much easier to use and delivers richers
functionality than any of the software it replaces. If your router is listed
as supported, go for it.

~~~
jrochkind1
The good reviews of OpenWRT help. The caution is mostly because it's unclear
to me how hard it would be to switch it back. But yeah, probably will.

~~~
styfle
Not to mention the idea that you might Bork your router during installation
and have no internet therefore no way to install the old fw version.

------
commandlinefan
> Universal Plug-n-Play

And, like so many other attempts to "simplify" supposedly complex
configuration, in addition to being a massive security hole to attackers, it's
almost useless to the home users for whom it was meant because it only works
under a very narrow, mostly undocumented set of assumptions and if any of
those assumptions are invalid, it fails silently.

~~~
OJFord
I disabled it after this post, but it appears Plex switches to 'indirect' mode
(it goes out to the Internet and back in) without it; i.e. I am using UPnP.

It's not clear what the solution is - update firmware? I am on the latest. Use
OpenWRT (or whatever it's called these days)? Every time I look into it (I
really want to!) I stop at the simple 'I want to do this, I will happily buy a
new router, which one do I buy and know it works well and will continue to
work well with updates?'

~~~
WorldMaker
Plex has had a major forum breach for basic user data including IP addresses
[1], around the time of the botnet's first discovery in 2017, which has me
greatly wondering if Plex may have been an inadvertent bootstrap vector for
this attack?

Worrying, if that's the case.

[1]
[https://haveibeenpwned.com/PwnedWebsites#Plex](https://haveibeenpwned.com/PwnedWebsites#Plex)

~~~
OJFord
Usually a problem for things like Plex, ISPs with double NAT actually do users
a favour here.

~~~
WorldMaker
UPnP wouldn't exist without NAT. The underlying root cause of UPnP is NAT (and
the slow deployment of things like reliable mDNS implementations). Admittedly,
Plex would have different security problems without NAT, given its model, but
arguably those security problems would have simpler solutions in a world
without NAT.

------
stevenicr
I think it's time for windows, and ios, and firewall / antivirus companies to
scan for info about the routers used and alert people that their network is
easily hacked, may already be hacked, and is in danger of being used by
criminals to attack other countries and companies.

Extra info such as, the router you are using has not had any available
firmware updates for 3 years and likely needs to be replaced.

It's obvious we are not going to get this info to most people from the IOT
manufacturers.

This could be quite beneficial for those who hook up thier phones to different
wifi networks as well - a pop up showing that their router / internet gateway
model has been shown to be used in at least 100,000 other malware exploits,
and should not be trusted like your cell connection -

It's time to start shaming and naming - the bad guys already know how to get
this info, we need to make it easier for the end users to become aware.

A service that will email you when firmware is available for your equipment,
or your equipment is listed on shodan, blackhathacksrus, or other places may
be beneficial as well. Set it up to take serial numbers scanned with an app,
and give notices on recalls and physical theft recovery.

We obviously need something, and possibly many things tp help with this.

I can't believe a certain router company a few years ago did not offer to send
a rebate if I returned their no-longer-updated-hardware when I emailed them
inquiring about a published exploit and lack of updates. I no longer use that
brand or suggest it. They could of kept a customer and made things better,
they did neither.

~~~
achillean
We actually offer such a monitoring service at Shodan, though it's largely
aimed at companies so you need to use the API. Here's an article on how to
setup a real-time monitor for your network:

[https://help.shodan.io/guides/how-to-monitor-
network](https://help.shodan.io/guides/how-to-monitor-network)

~~~
chopin
How would this work for a consumer network which doesn't have a fixed public
IP?

~~~
achillean
In that case you're probably better off w/ a cronjob that checks Shodan for
information on your IP once a day. Doing direct IP lookups is free so you
wouldn't need to pay. You won't get the immediate, real-time feedback but it's
fairly straight-forward to do a daily IP lookup.

You could also change/ update your private firehose every day though that
would require a bit more technical skill. You could basically do:

    
    
        MYIP=`shodan myip`
        shodan alert create home-network $MYIP
        shodan stream --alerts=all
    

That would create an alert for your current IP and then subscribe to any
events.

------
josteink
And OpenWrt users everywhere feel totally superior once again.

Seriously though: this is why you don’t let your device run unvetted firmware
by vendors who don’t provide updates.

Load it with a Linux-distro you can update yourself to keep it rolling and
secure.

~~~
OJFord
I keep looking into it and keep stopping at 'what should I buy'. I'm willing
to / assume I need to buy new hardware. What do I buy that will run it well,
and continue to?

~~~
rubatuga
Buy the Archer C7 version 2, and install the optimized version of openwrt:
[https://github.com/infinitnet/lede-ar71xx-optimized-
archer-c...](https://github.com/infinitnet/lede-ar71xx-optimized-archer-c7-v2)

This build gets ~750 mbps NAT speed as opposed to vanilla openwrt, which is
around ~300 mbps.

~~~
OJFord
Is that v2 as in >v1, or is there a v3+ that I don't want?

That is, can I just buy from Amazon [0] with a fairly safe assumption that a
new C7 is OK?

[0]: [https://www.amazon.co.uk/TP-Link-AC1750-Dualband-
Zertifizier...](https://www.amazon.co.uk/TP-Link-AC1750-Dualband-Zertifiziert-
Generalüberholt/dp/B00BUSDVBQ)

~~~
GordonS
So, 2 or 3 years ago I did just that.

And it was flakey as f*ck. It rebooted itself roughly once a day, and would
stop routing traffic to my fibre modem and need manually rebooted at least
once a day.

The Openwrt support forums were... not helpful.

All this was such a shame, because the Openwrt feature set is so much capable
than the stock firmware - I so wanted it to work, but had such a bad
experience I haven't gone near it since and it will likely stay that way.

~~~
josteink
You have to be specific about the hardware you buy.

Throughout my time I've bought around 2 or 2 routers with the naive assumption
"oh it will probably work out fine", and that's definitely not how it works.
That has certainly left me with disappointment.

IME it pays off greatly to upfront research the specific model (and revision)
and buy exactly that. Like in this case, the Archer C7 v2 (of which I've
recently bought two).

It's running OpenWrt flawlessly and I would have zero issues recommending that
particular model to anyone.

~~~
GordonS
Ah, I got confused - it's a stock TP-LINK AC1750 Archer C7 that I have _now_ ,
and it was an older TP-LINK I'd tried OpenWrt on. I forget the model, but I
had been specific about the hardware I bought, making sure it was in OpenWrt's
list of supported devices.

Strangely, the C7 I have now advertises itself as 'v2/v3'!

------
9712263
So, what is the most secured option for the moment? Buy a x86 box and turn it
into a router? But it consumes more power than a low-power router, and buying
more network adapter is not that cheap.

I am currently using the open source tomato firmware. However, since there is
a bug/feature in the router so that I cannot flash an image too large, or
otherwise it would not work. Also, the configuration is limited to 32 KB, if
configure too much, then the configuration file will become gibberish and some
random feature in the router would be missing, and required a factory reset to
fix. So, I am stuck with an older version of tomato which guarantee some kind
of vulnerability is not fixed.

Not sure what I can get in the form size of a router. Raspberry pi may work
but too few ports available. I heard that the CPU would get hot for intense
network traffic.

~~~
walrus01
For something really small the ubiquiti edgerouter devices which run their
EdgeOS are a good choice. If there's a serious security vulnerability on the
WAN-facing interface it will be patched. They run a fork of Vyatta. Ubiquiti
employs most of the old Vyatta development team, who did not go to Brocade
when Vyatta was acquired.

Or build a really small low power x86 system with a few Intel gigabit NICs in
it and run open source VyOS.

~~~
eikenberry
So the ERLite-3?

[https://www.ubnt.com/edgemax/edgerouter-
lite/](https://www.ubnt.com/edgemax/edgerouter-lite/)

~~~
walrus01
the $48 ER-X is much faster than 99% of peoples' residential last mile
broadband connections, it's good for up to about 750 Mbps of NAT and default
route outbound to a gateway.

~~~
eikenberry
I have a gigabit fiber line with no PoE from the fiber box. Between the 2 I
think the ERLite-3 should work better.

~~~
ropiku
I have no problems with a gigabit symmetrical line on ERLite-3. UniFi Security
Gateway is the same hardware but in a nicer interface that works with UniFi
APs & Switches if you want to go that route but you have to also host a
controller. You can also upgrade to a ER-4 for a much faster CPU but I don't
think you need to.

------
testplzignore
How many home routers _aren 't_ compromised or have known vulnerabilities? It
would interesting if a study looked at a random sample of the population of
home routers to determine this. Go to people's homes and actually check. These
articles always seem to look at it from the "how many compromised routers have
we found so far" angle. I suspect that if the story was "90% of home routers
have known unpatched vulnerabilities", these security issues would be taken
more seriously by the companies responsible for them. And if they don't act,
regulate them out of existence.

~~~
lbriner
> And if they don't act, regulate them out of existence.

Sounds easy but doesn't work IRL. The service providers don't build the units
and rely on the supplier. The supplier might have patched it but wants money,
the ISP doesn't want to pay. Maybe the patch breaks something else and the ISP
don't want to put that on all their users.

Also, not all vulnerabilities are equal. Some are more serious than others and
require patching urgently, others less so.

And not all ISPs can push a patch so how do you tell everyone to update and
what happens when it doesn't work and 1M people are calling Customer Support?

~~~
toomuchtodo
Comcast has functionality where they will email and/or text you if your
connection has botnet or other nefarious activity on it and will disconnect
you until it's resolved. Not a fan of them, but it's something they get right.

[https://i.imgur.com/cYKXtII.png](https://i.imgur.com/cYKXtII.png)

------
weinzierl
Germany is a nice white spot on the map because they all run their Fritz
boxen, which seem to be unaffected by BCMPUPnP_Hunter.

------
trulyrandom
I must be missing something, but why are all these routers publicly listening
on port 5431?

~~~
mr_toad
Ports 5431 and 1900 are used for UPnP.

I can’t think of any good reason they should be listening on an external
interface, but maybe the port scanning is happening on the inside.

~~~
trulyrandom
That's the thing, it looks like they _are_ listening externally:
[https://www.shodan.io/search?query=Server%3A%20Custom%2F1.0%...](https://www.shodan.io/search?query=Server%3A%20Custom%2F1.0%20UPnP%2F1.0%20Proc%2FVer).
I tried a couple of those IPs and can reach all of them on 5431.

------
Bucephalus355
They are currently talking about creating a cyber civilian corps that would be
under the Department of Homeland Security. The purpose would be some yet to be
defined “assisting businesses and state / local governments in crisis”.

However maybe we should have them knocking on doors having ppl set up their
home network.

Obviously a lot of responsibility is being pushed back on companies to make
this easier, but still we have all these old devices out there humming along.

[https://www.newamerica.org/cybersecurity-
initiative/reports/...](https://www.newamerica.org/cybersecurity-
initiative/reports/need-c3/3-a-us-cyber-civilian-corps-how-would-it-be-
organized-and-staffed/)

~~~
jsjohnst
It’s been talked about for years under DHS. I was part of one of the early
iterations of it called NetGuard. I have zero hope for any such initiative
after the experience despite thinking its sorely needed.

------
black-tea
It's interesting to me that "pwn" has entered the respectable lexicon. If I
were to talk about "haxxors" or "warez" I don't think I would be taken very
seriously on here. I guess it's because "pwn" occupies a meaning not fully
encompassed by any other word. There is "root" which is itself a slang term
but it's too specific, I suppose, and "compromised" is just too long,

~~~
macintux
I can say "pwn" is not something I would ever write in a serious document, but
I'm also an old fart.

~~~
WrtCdEvrydy
It depends on the age... usually for the board, we use 'compromised', because
every one of those guys is scared of compromising pictures coming out
(snorting milk powder off a friend's breasts for example)

------
Scoundreller
I’ve said it before: it shouldn’t be that hard for someone handy with a
soldering iron to “harden” their router:

Look up the Pinout for the flash chip, find the write-enable line, and put it
on a switch to lock firmware updates.

This won’t protect you against non-persistent malware, but it will prevent
malicious updates.

One could attach a bit of logic and an LED to this line to switch on when a
flash is attempted. Then you know something bad is in the stream.

~~~
albertgoeswoof
What about non malicious security updates?

~~~
Scoundreller
Flip the switch when you want to allow them (but why accept random OTA
updates?).

The LED logic should signal you when there's an update coming in OTA, and you
can verify for yourself if there's a legitimate update (and possibly load it
yourself).

------
jammygit
How exactly does one go about buying a router that is not going to turn evil?
Is there some company with open source software and easy setup, or some other
easy solution?

------
rbanffy
What if someone did that, but to use the routers for some charitable
distributed computing project?

Or mining crypto currencies and giving the proceeds to the router's owners?

Or perhaps a globally distributed weather prediction system that automatically
detects network enabled weather stations and predicts weather everywhere for
free?

Or a distributed P2P social network?

~~~
cliffy
It's morally wrong.

You don't suddenly have the right to use someone else's personal belongings as
you see fit just because they left a door or window unlocked.

~~~
rubatuga
What if the router was being unused? What if the power usage was minimal? I
think it is unethical not to utilize resources that are being wasted.

~~~
dymk
I hope your parents taught you to ask before invading somebody's personal
property.

Are you okay with XYZ Tech Company snooping on your private messages, emails,
or credit card transactions? The impact that you'd see would be minimal (aside
from more targeted ads, perhaps), and it's data which would otherwise be
"wasted" if nobody was mining it.

~~~
rubatuga
I hope your parents taught you that too, thanks. Anyways, no its not okay for
XYZ because they are invading the privacy of people's lives as a means to make
more money. In the other circumstance, you would be using unused resources,
not invading privacy, and contributing to projects such as Folding@home, which
hopes to solve hard protein folding problems in order to better humanity.

------
jothezero
The kind of subject I love...!!

------
gammateam
pwn: the second derivative of getting owned

------
degenerate
A much better, more thorough analysis, complete with affected router model
numbers, graphs, charts, and area affected map are at the source post:

[https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-
tu...](https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-
routers-to-email-spammers-en/)

~~~
mark-r
I think you just killed the site. I get a 504 error.

~~~
eikenberry
[https://web.archive.org/web/20181112153533/https://blog.netl...](https://web.archive.org/web/20181112153533/https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-
turns-home-routers-to-email-spammers-en/)

~~~
mark-r
Thanks for that! The usual Google cache wasn't working for me in this case.

------
SlowRobotAhead
Reminds me I haven’t updated my pfSense router in awhile. Nor have I ever
heard about a flaw like this for them as it were.

But also, can we stop with “pwns” in a serious website? Almost makes me think
the comment section would start with someone saying “First!”.

