BCMPUPnP_Hunter Botnet infected 400k routers to turn them in email spammers

Pierluigi Paganini November 09, 2018

Security researchers at 360 Netlab have discovered a new spam botnet, dubbed BCMPUPnP_Hunter, that likely already infected around 400,000 machines to date.

Security experts from 360 Netlab security firm have recently discovered a new spam botnet, dubbed BCMPUPnP_Hunter, that mainly targets routers that have the BroadCom UPnP feature enabled.

The BCMPUPnP_Hunter was first spotted in September, but researchers were able to capture the first sample only a month later.

Experts pointed out that the interaction between the botnet and the potential target takes multiple steps, it starts with tcp port 5431 destination scan-

“it starts with tcp port 5431 destination scan, then moving on to check target’s UDP port 1900 and wait for the target to send the proper vulnerable URL.” reads the analysis published by 360 Netlab.

“After getting the proper URL, it takes another 4 packet exchanges for the attacker to figure out where the shellcode’s execution start address in memory is so a right exploit payload can be crafted and fed to the target.”

Experts noticed that the amount of infection is very large, the number of active scanning IP in each scan event is about 100,000.

Once the device is compromised, the attacker implements a proxy network (tcp-proxy) that communicates with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, etc. This circumstance suggests the botnet may have been involved in spam campaigns.

Below some findings shared by the experts:

  • It can be seen that the scan activity picks up every 1-3 days. The number of active scanning IP in each single event is about 100,000
  • All together we have 3.37 million unique scan source IPs. It is a big number, but it is likely that the IPs of the same infected devices just changed over time.
  • The number of potential infections may reach 400,000 according to Shodan  based on the search of banner: Server: Custom/1.0 UPnP/1.0 Proc/Ver

The geographical distribution for the scanner IPs in the last 7 days revealed that most of the infected devices are in India, the United States, and China.


The experts probed the scanners and discovered at least 116 different type of infected device information.

The malware sample analyzed by the experts is composed of the main body and a shellcode that is apparently designed specifically to download the main sample and execute it.

“The main function of shellcode is to download the main sample from C2( and execute it.” continues the analysis.

“The shellcode has a full length of 432 bytes, very neatly organized and written, some proofs below (We did not find similar code using search engines). It seems that the author has profound skills and is not a typical script kid:”

The main sample includes an exploit for the BroadCom UPnP vulnerability and the proxy access network module. The main sample can parse four instruction codes from C2, enable the port scan, search for a potentially vulnerable target, empty current task, access proxy network.

The botnet was likely designed to proxy traffic to servers of well-known mail service providers. The researchers believe the proxy network established by the botnet is abused for spam due to the connections only made over TCP port 25.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – BCMPUPnP_Hunter botnet, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment