They use a bug five years ago to infect more than 100,000 routers and send them to send SPAM

[Blexfraptor]

A botnet is a network of devices that have been hacked by some vulnerability or password of low quality, and that are used together to carry out attacks (usually DDoS). A hacker has managed to create one using routers and a vulnerability five years ago.

A botnet has exploited a vulnerability to infect 116 router models
The botnet was discovered last September by Netlab researchers at Qihoo 360, a Chinese security company. As they claim, the attacker would have used this botnet to send spam emails.

The botnet was developed in 2013, taking advantage of a vulnerability in the Broadcom UPnP SDK. This is used on a large number of routers, and allows an attacker to perform remote attacks and execute malicious code on the routers without any authentication. This makes it one of the worst vulnerabilities that can be found on a device connected to the Internet.

Although BCMUPnP_Hunter, which is how it has been nicknamed, is not the first to take advantage of this vulnerability, it is the first one that uses a new source code. Many botnets use existing code to infect devices such as the Internet of Things, such as Mirai. However, researchers had never before seen a similar code. In total they have found 116 different models of routers affected, most of which are ADSL, although there are also some fiber optic.

The main email clients, the target of spam attacks
The infection process requires a multi-step process. One of its components can communicate with email servers such as Outlook, Hotmail and Yahoo! Mail. This is the reason why researchers believe that the botnet was used to send spam to thousands of email addresses.

The number of infected routers has been growing exponentially in recent months, with the potential to reach 400,000 routers. In total, the researchers collected 3.37 million IP addresses, although these addresses change constantly and therefore believe that the number of infected routers is lower. In those scans, TCP port 5431 is searched first, and then UDP 1900.

Regarding solving the vulnerability, from Broadcom they have not said anything about a possible solution. Among the countries most affected by it are China, India and the United States, but there are devices affected all over the world as many use the UPnP function developed by Broadcom. UPnP is an acronym for Universal Plug and Play, which allows devices connected to the same local network to connect with each other. The implementation of Broadcom is one of the many that exist, but being one of the main suppliers of components for routers in the world, its implementation is present in routers of companies such as ASUS, D-Link, Zyxel, ZTE, TP-Link, Netgear, etc