Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

New Spam Botnet Likely Infected 400,000 Devices

A newly discovered botnet that appears designed to send spam emails likely infected around 400,000 machines to date, 360 Netlab security researchers warn.

A newly discovered botnet that appears designed to send spam emails likely infected around 400,000 machines to date, 360 Netlab security researchers warn.

Dubbed BCMPUPnP_Hunter, the threat was observed mainly targeting routers that have the BroadCom UPnP feature enabled. The botnet emerged in September, but a multi-step interaction between the botnet and the potential target prevented the researchers from capturing a sample until last month.

The interaction, 360 Netlab explains, starts with tcp port 5431 destination scan, after which the malware checks the target’s UDP port 1900 and then waits for the proper vulnerable URL. After four other packet exchanges, the attacker finally figures out the shellcode’s execution start address in memory and delivers the proper exploit. 

Following a successful attack, a proxy network is implemented, to communicate with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, and others, most likely with the intent to engage in spam activities. 

Over the past month, the number of scanning source IPs has been constantly in the 100,000 range, though it also dropped below the 20,000 mark roughly two weeks ago. The scan activity picks up every 1-3 days, with around 100,000 scan source IPs involved in each scan event. 

Overall, the researchers registered over 3.37 million scan source IPs, but they believe this large number is the result of some devices changing their IP over time. 

By probing the scanners, 360 Netlab managed to obtain 116 different type of infected device information. The botnet is believed to have infected around 400,000 devices all around the world, with the highest concentration in India, the United States, and China.

The analyzed malware sample consists of a shellcode and the main body. The shellcode, apparently designed specifically to download the main sample and execute it, seems to have been created by a skilled developer, the researchers point out. 

Advertisement. Scroll to continue reading.

The main sample includes an exploit for the BroadCom UPnP vulnerability, as well as the proxy access network module, and can parse four instruction codes from the command and control (C&C) server: an initial packet without practical functionality, and commands to search for vulnerable targets, to empty the current task, and to launch the proxy service.

The botnet, the researchers say, appears designed to proxy traffic to servers of well-known mail service providers. With connections only made over TCP port 25 (which is used by SMTP – Simple Mail Transfer Protocol), the researchers are confident the proxy network established by the botnet is abused for spam. 

Related: Shellbot Botnet Targets Linux, Android Devices

Related: ‘DemonBot’ Botnet Targets Hadoop Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.