Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

New Spam Botnet Likely Infected 400,000 Devices

A newly discovered botnet that appears designed to send spam emails likely infected around 400,000 machines to date, 360 Netlab security researchers warn.

A newly discovered botnet that appears designed to send spam emails likely infected around 400,000 machines to date, 360 Netlab security researchers warn.

Dubbed BCMPUPnP_Hunter, the threat was observed mainly targeting routers that have the BroadCom UPnP feature enabled. The botnet emerged in September, but a multi-step interaction between the botnet and the potential target prevented the researchers from capturing a sample until last month.

The interaction, 360 Netlab explains, starts with tcp port 5431 destination scan, after which the malware checks the target’s UDP port 1900 and then waits for the proper vulnerable URL. After four other packet exchanges, the attacker finally figures out the shellcode’s execution start address in memory and delivers the proper exploit. 

Following a successful attack, a proxy network is implemented, to communicate with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, and others, most likely with the intent to engage in spam activities. 

Over the past month, the number of scanning source IPs has been constantly in the 100,000 range, though it also dropped below the 20,000 mark roughly two weeks ago. The scan activity picks up every 1-3 days, with around 100,000 scan source IPs involved in each scan event. 

Overall, the researchers registered over 3.37 million scan source IPs, but they believe this large number is the result of some devices changing their IP over time. 

By probing the scanners, 360 Netlab managed to obtain 116 different type of infected device information. The botnet is believed to have infected around 400,000 devices all around the world, with the highest concentration in India, the United States, and China.

The analyzed malware sample consists of a shellcode and the main body. The shellcode, apparently designed specifically to download the main sample and execute it, seems to have been created by a skilled developer, the researchers point out. 

The main sample includes an exploit for the BroadCom UPnP vulnerability, as well as the proxy access network module, and can parse four instruction codes from the command and control (C&C) server: an initial packet without practical functionality, and commands to search for vulnerable targets, to empty the current task, and to launch the proxy service.

The botnet, the researchers say, appears designed to proxy traffic to servers of well-known mail service providers. With connections only made over TCP port 25 (which is used by SMTP – Simple Mail Transfer Protocol), the researchers are confident the proxy network established by the botnet is abused for spam. 

Related: Shellbot Botnet Targets Linux, Android Devices

Related: ‘DemonBot’ Botnet Targets Hadoop Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...