Botnet infects over 400krouters for spam campaign

Share this…

Security investigators discovered a new botnet of spam; they calculate that the number of infected devices is close to half a million

Researchers from a cybersecurity and digital forensics firm have recently discovered a new botnet of spam, called BCMPUPnP_Hunter, which primarily attacks the routers that have the BroadCom UPnP function enabled.

BCMPUPnP_Hunter was first seen last September; in mid-October, the researchers managed to collect the first samples of this botnet.

Digital forensics experts noted that the interaction between the botnet and the potential victim requires several steps to complete, starting with the destination scan of TCP 5431 port.

“After scanning, verification is made of the UDP 1900 port of destination and the target is expected to send the appropriate vulnerable URL”, mentions the security report published by the specialists. “After getting the correct URL, it takes another 4 packet exchanges for the attacker to find out where the Shellcode execution start address is in memory so that the exploit payload can be created and sent to the target.”

Experts noted that the extent of infection is really large; the amount of IP found is approximately 100k in each analysis.

Once the attacked device is compromised, the attacker implements a proxy network (TCP-proxy) that communicates with widely used mail servers such as Outlook, Hotmail, Yahoo! Mail, etc. This suggests that botnet may have been involved in spam campaigns.

The geographic distribution of scanned IP in the last 7 days revealed that most of the infected devices are found in India, the United States and China.


Digital forensics experts tested the scanners and discovered at least 116 different types of infected devices.

According to reports from the International Institute of Cyber Security, the malware sample analyzed by the experts is composed of the main body and a shell code that is apparently designed specifically to download the main sample and run.

“The main function of the shellcode is to download the main sample of C2 ( and execute it”, the analysis continues.

“Shell code has a total length of 432 bytes, very well organized and written. It seems that the authors have advanced hacking skills, they are not amateur hackers.”

The main sample includes an exploit for the BroadCom UPnP vulnerability and the proxy access network module. The main sample can scan four C2 instruction codes, enable port scanning, and find a potentially vulnerable target, empty concurrent task, access the proxy network.

The botnet was probably designed to send traffic to servers of known mail service providers. Researchers believe that the proxy network established by the botnet is used for spam due to connections made only through TCP port 25.