» ISP News » 

Broadcom Based UPnP Using Broadband Routers Hit by Malware

Thursday, November 8th, 2018 (12:11 pm) - Score 2,793

Network security testers at 360 Netlab have identified a new botnet called “BCMPUPnP_Hunter,” which uses vulnerabilities in Broadcom’s implementation of the Universal Plug and Play (UPnP) protocol to hijack broadband ISP routers from manufactures like Billion, D-Link, TP-Link , ZyXEL etc.

At the time of writing it’s been suggested that around 100,000 routers could have already been compromised and many of those appear to be older kit, although some like the Billion BiPAC 7800NXL can still be found on sale today. Overall 116 routers have so far been identified as compromised and once that happens then the device is commandeered to help find more victims.

Most large botnets tend to be used for either Distributed Denial of Service (DDoS) style attacks against servers / websites or as huge email spamming networks. The 360 Netlab team suggest that BCMPUPnP_Hunter may well end up being used for the latter.

The biggest concern here is that this botnet has been able to install its malware on routers by exploiting a known vulnerability in the widely used UPnP protocol, which has existed since 2013 but was only made public in 2017 due to the sheer number of devices that use Broadcom’s vulnerable implementation.

360 Netlab Statement

UPnP is the acronym for Universal Plug and play, the Universal plug-in protocol. The goal of the agreement is to enable home networks (data sharing, communication and entertainment) and various devices in the corporate network to seamlessly connect with each other and simplify the implementation of related networks.

Broadcom UPnP is a concrete implementation of Broadcom’s response to the UPnP protocol. As Broadcom is in the industry upstream of the supply chain, the implementation is adopted by major router manufacturers, including Asus, D-link, Zyxel, US Robotics, TP-link, Netgear and so on.

In October 2013, security researchers at security research firm DefenseCode discovered the BroadCom UPnP format string vulnerability in the protocol stack . Considering that the vulnerability affects products from several major router vendors, DefenseCode did not disclose their findings until 2017.

The code disclosed this time is of a verification nature. An attacker must complete the necessary vulnerability analysis and optimize the shellcode process on the basis of a publicly available document before it can be of practical power.

Sadly many of the routers involved are no longer being supported (too old). Meanwhile users of those that are still being supported often don’t go actively seeking the latest firmware updates, which may need to be applied in order to deliver the proper protection.

Alternatively users with one of these routers should consider disabling UPnP, although in some cases this may stop some other connected devices or services from working (assuming they are dependent upon UPnP). Manual port forwarding can often be used to achieve the same result as UPnP but this can be quite complicated. Credits to The Register for spotting this.

List of Vulnerable Devices / Routers

ADB Broadband S.p.A, HomeStation ADSL Router
ADB Broadband, ADB ADSL Router
ALSiTEC, Broadcom ADSL Router
ASB, ADSL Router
ASB, ChinaNet EPON Router
ASB, ChinaTelecom E8C(EPON) Gateway
Actiontec, Actiontec GT784WN
Actiontec, Verizon ADSL Router
BEC Technologies Inc., Broadcom ADSL Router
Best IT World India Pvt. Ltd., 150M Wireless-N ADSL2+ Router
Best IT World India Pvt. Ltd., iB-WRA300N
Billion Electric Co., Ltd., ADSL2+ Firewall Router
Billion Electric Co., Ltd., BiPAC 7800NXL
Billion, BiPAC 7700N
Billion, BiPAC 7700N R2
Binatone Telecommunication, Broadcom LAN Router
Broadcom, ADSL Router
Broadcom, ADSL2+ 11n WiFi CPE
Broadcom, Broadcom Router
Broadcom, Broadcom ADSL Router
Broadcom, D-Link DSL-2640B
Broadcom, D-link ADSL Router
Broadcom, DLink ADSL Router
ClearAccess, Broadcom ADSL Router
Comtrend, AR-5383n
Comtrend, Broadcom ADSL Router
Comtrend, Comtrend single-chip ADSL router
D-Link Corporation., D-Link DSL-2640B
D-Link Corporation., D-Link DSL-2641B
D-Link Corporation., D-Link DSL-2740B
D-Link Corporation., D-Link DSL-2750B
D-Link Corporation., D-LinkDSL-2640B
D-Link Corporation., D-LinkDSL-2641B
D-Link Corporation., D-LinkDSL-2741B
D-Link Corporation., DSL-2640B
D-Link, ADSL 4*FE 11n Router
D-Link, D-Link ADSL Router
D-Link, D-Link DSL-2640U
D-Link, D-Link DSL-2730B
D-Link, D-Link DSL-2730U
D-Link, D-Link DSL-2750B
D-Link, D-Link DSL-2750U
D-Link, D-Link DSL-6751
D-Link, D-Link DSL2750U
D-Link, D-Link Router
D-Link, D-link ADSL Router
D-Link, DVA-G3672B-LTT Networks ADSL Router
DARE, Dare router
DLink, D-Link DSL-2730B
DLink, D-Link VDSL Router
DLink, DLink ADSL Router
DQ Technology, Inc., ADSL2+ 11n WiFi CPE
DQ Technology, Inc., Broadcom ADSL Router
DSL, ADSL Router
DareGlobal, D-Link ADSL Router
Digicom S.p.A., ADSL Wireless Modem/Router
Digicom S.p.A., RAW300C-T03
Dlink, D-Link DSL-225
Eltex, Broadcom ADSL Router
FiberHome, Broadcom ADSL Router
GWD, ChinaTelecom E8C(EPON) Gateway
Genew, Broadcom ADSL Router
INTEX, Wireless N 150 ADSL2+ Modem Router
INTEX, Wireless N 300 ADSL2+ Modem Router
ITI Ltd., ITI Ltd.ADSL2Plus Modem/Router
Inteno, Broadcom ADSL Router
Intercross, Broadcom ADSL Router
IskraTEL, Broadcom ADSL Router
Kasda, Broadcom ADSL Router
Link-One, Modem Roteador Wireless N ADSL2+ 150 Mbps
Linksys, Cisco X1000
Linksys, Cisco X3500
NB, DSL-2740B
NetComm Wireless Limited, NetComm ADSL2+ Wireless Router
NetComm, NetComm ADSL2+ Wireless Router
NetComm, NetComm WiFi Data and VoIP Gateway
Opticom, DSLink 485
Orcon, Genius
Raisecom, Broadcom ADSL Router
Ramptel, 300Mbps ADSL Wireless-N Router
Router, ADSL2+ Router
Star-Net, Broadcom ADSL Router
Starbridge Networks, Broadcom ADSL Router
TP-LINK Technologies Co., Ltd, 300Mbps Wireless N ADSL2+ Modem Router
TP-LINK Technologies Co., Ltd, 300Mbps Wireless N USB ADSL2+ Modem Router
TP-LINK, TP-LINK Wireless ADSL2+ Modem Router
TP-LINK, TP-LINK Wireless ADSL2+ Router
Technicolor, CenturyLink TR-064 v4.0
Tenda, Tenda ADSL2+ WIFI MODEM
Tenda, Tenda ADSL2+ WIFI Router
Tenda, Tenda Gateway
UTStarcom Inc., UTStarcom ADSL2+ Modem Router
UTStarcom Inc., UTStarcom ADSL2+ Modem/Wireless Router
UniqueNet Solutions, WLAN N300 ADSL2+ Modem Router
ZTE, Broadcom ADSL Router
ZTE, ONU Router
Zhone, Broadcom ADSL Router
Zhone, Zhone Wireless Gateway
Zoom, Zoom Adsl Modem/Router
ZyXEL, CenturyLink UPnP v1.0
ZyXEL, P-660HN-51
ZyXEL, ZyXEL xDSL Router
huaqin, HGU210 v3 Router
iBall Baton, iBall Baton 150M Wireless-N ADSL2+ Router
iiNet Limited, BudiiLite
iiNet, BoB2
iiNet, BoBLite

Leave a Comment
3 Responses
  1. Avatar StillWaitingForSuperfast

    Is disabling UPnP (followed by restarting the router) a fix for this? Or is it too late if your router has already been attacked?

    How can users tell if their router has been attacked?

    • Disabling UPnP is one way to stop your router being exposed to the aforementioned vulnerabilities, as also stated in the article above.

      As for your last question, at present there doesn’t seem to be a lot of detail on the infection itself and thus we don’t know. Code that has been designed to SPAM usually prefers to stay as invisible as possible.

  2. Avatar Jonny

    Is any more known about this yet?

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £19.95 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPER20
  • NOW TV £22.00 (*40.00)
    Avg. Speed 36Mbps, Unlimited
    Gift: None
  • SSE £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • Vodafone £22.95
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2698)
  2. FTTP (2547)
  3. FTTC (1745)
  4. Building Digital UK (1685)
  5. Politics (1580)
  6. Openreach (1545)
  7. Business (1366)
  8. FTTH (1287)
  9. Statistics (1193)
  10. Mobile Broadband (1161)
  11. Fibre Optic (1037)
  12. 4G (1001)
  13. Wireless Internet (989)
  14. Ofcom Regulation (987)
  15. Virgin Media (963)
  16. EE (668)
  17. Sky Broadband (651)
  18. TalkTalk (634)
  19. Vodafone (629)
  20. 5G (464)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact