Threat Watch

New Botnet Infects 100,000 Routers

BCMUPnP_Hunter is a new botnet of 100,000 routers that was first seen in September of this year exploiting a well-known five-year-old vulnerability. The vulnerability resides in the Broadcom UPnP SDK, which is a piece of software that is embedded in thousands of router models from multiple vendors. According to researchers, the vulnerability “allows an attacker to execute malicious code on a remote vulnerable router without needing to authenticate, and it’s the worst kind of vulnerability that exists in the world of Internet-connected devices.” Researchers have observed the botnet grow over the past two months with scans originating from more than 3.37 million IP’s. The number of active daily devices is currently around 100,000. Targets for the botnet are all around the globe, however the main targets are users in China, India, and the US. BCMUPnP_Hunter is different from most botnets out in the wild. Once it’s completed with its multi-stage infection process and gains a foothold on the device, it will use it to search for other vulnerable routers. There is a secondary function that allows BCMUPnP_Hunter to use the infected routers as proxy nodes and relay connections from the operators to remote IPs. At the time of writing this article, the botnet has been seen connecting to IPs owned by webmail services which include Hotmail, Outlook, and Yahoo. Since all the connections are made via TCP port 25, it’s believed that the botnet “herders” are covertly sending “spam waves from behind the botnet’s cloak of ever-shifting proxies.”


Although forgotten most of the time, home routers should be checked on occasion for critical software updates. They can be a huge target for hackers because of slow update cycles and often times lack of support or updates from vendors. If no updates are available, consider calling or emailing the vendor’s support to ask if or when a fix might be expected.