back to article It's 2017, and UPnP is helping black-hats run banking malware

Another banking malware variant has been spotted in the wild, and it's using UPnP to pop home routers to expose unsuspecting home users, recruited as part of the botnet. McAfee Labs says the new campaign uses a variant of the ancient “Pinkslipbot”, and says it uses Universal Plug'n'Play (UPnP) to open ports through home …

  1. Ole Juul

    Who uses UPnP?

    I haven't found a use for it and it's not been available on this lan for as long as I remember. My VoIP doesn't complain, nothing does.

    1. Field Commander A9

      Re: Who uses UPnP?

      Meanwhile for the rest of the world, p2p protocols are still the main method of obtaining large chunks of data.

      1. Dan 55 Silver badge

        Re: Who uses UPnP?

        You can't assign ten ports to each device on the network without UPnP?

    2. bombastic bob Silver badge
      Unhappy

      Re: Who uses UPnP?

      most people STILL do not know to turn that @#$% off. So it remains on. Nice security crater!

    3. Brenda McViking

      Re: Who uses UPnP?

      As recently as last year, Running 2x Xbox Ones with 2 players on a home wireless required UPnP to allow them to work properly with group chat running alongside mutliplayer online gaming. It also required that it was implemented properly on the router, most of the cheap ISP provided ones wouldn't work due to poor UPnP implementations, and my housemate switched ISP twice to get it working properly.

      But I'd be the first to admit that sort of setup isn't applicable to 99% of users, but you wanted an example...

      1. joed

        Re: Who uses UPnP?

        "my housemate switched ISP twice to get it working properly" - there's your problem. In States we have no such dilemma. Running 2x Xbox Ones - root cause. Now, I can bet that black-hats would not even want to touch my slow a.. broadband with disabled UPnP and unreliable wireless on a meager Windows tablet. Security through marginality.

      2. Kiwi
        Megaphone

        Re: Who uses UPnP?

        Running 2x Xbox Ones with 2 players on a home wireless required UPnP to allow them to work properly

        The flaw isn't UPnP in this case. The flaw is MS yet again requiring a serious reduction in security for their crap to "work properly". Now if it'd been the first gaming console that might be OK, way back then we didn't see UPnP for the hole it has become. But by the time XBONE came out, UPnP was well and truly known to be a problem. MS have no excuse.

    4. Anonymous Coward
      Anonymous Coward

      Re: Who uses UPnP?

      Try having a household with 5 active users each with several devices connected, then TV, DVD, 3G phone signal booster, VOIP with several handsets...all without UPnP. I'd never do anything but frig around with port forwarding, not only that, but for example if you use Skype or a VOIP provider on multiple devices my very decent router (Fritz) nevertheless does not allow more than one port-forwarding rule per application since it binds that application to a specific named device - that's nice and secure but very limited in my situation.

      I try and counter risks by ensuring that I use a good security suite at least on the PC/laptops which block unknown traffic, in or out. Not sure what I can do with smartphones and other devices though in terms of firewalling.

      1. Kiwi
        Boffin

        Re: Who uses UPnP?

        Try having a household with 5 active users each with several devices connected, then TV, DVD, 3G phone signal booster, VOIP with several handsets...all without UPnP. I'd never do anything but frig around with port forwarding, not only that, but for example if you use Skype or a VOIP provider on multiple devices my very decent router (Fritz) nevertheless does not allow more than one port-forwarding rule per application since it binds that application to a specific named device - that's nice and secure but very limited in my situation.

        I'd be interested in the 3g booster.

        As to the rest, when we started our shop and made use of Skype as one of our contact options we never had trouble with that. Initially we had a mere consumer-grade router on ADSL (later VDSL), though I did build a machine that did sit behind that for firewall and DHCP. So the machines would have their internal network address, then go to the firewall which would NAT the traffic and pass it through to the router (also NAT). The firewall fed 2 seperate LANS, one for machines we expected to be infected/had doubts about and the other for machines we knew were clean.

        We never had a problem with stuff needing UPnP. And we each had our own skype account PLUS the shop's skype account - so that shop account was on 2 computers and 2 smartphones (so when a call came in whoever got to it first answered it (this was before MS started killing it). And we have had at least a dozen customer machines + our 4 devices (each of our devices had 2 accounts; the shop one plus the personal one), plus all the other stuff that these machines had.

        Never once had a problem.

        Did often stream the cricket (especially during the world cup - quite funny having a game less than 20 k away but we were getting a stream from a server in India that was fed by a UK source (I never saw anything to suggest shenanigans, HONEST!).

        So we didn't have "5 active users", but on average at least a half a dozen customer's machines (with network space for up to 24 but deskspace for about 15) constantly changing, our own machines and phones, and 4 test/scan/transfer machines (open desktop machines we could plug HDD's into for scanning purposes when our PXEboot and CD's wouldn't run on their machine for whatever reason, or used for data transfers eg laptop getting a new disk or data recovery etc). Oh, lunch room had a media machine (old laptop) that was a music server, controlled via some app on our phones. Oh, and file/TFTP boot server as well (made life easy being able to netboot a huge number of tools, AV, and a few Linux versions as well, even Windows install media.

        Only port forwarding I did was for the web and email server when we got VDSL, which I brought in-house and hung off another port on the router. The only thing I did with UPnP was make sure it was OFF.

        Never once had an issue. None of the customer machines had trouble finding skype (and some even got calls or txts), never had trouble with the billion individual program updaters on each PC ('cept when we had a bit much going on for the incoming internet feed), even did a couple of LAN parties there (yes, they've happened in the last few years!), one with us and our allies (local suppliers etc) against another group in Auckland (once we had VDSL incoming). 6 or 7 machines on my end, all happily playing Generals and .. I just cannot recall what the other game was, sniper-type but we did it total free-for-all, and it wasn't renegade. That one I spent more time watching because I'm crap at FPS!.

        So no, we did not need UPnP and had a far more complex setup than you. And the port forwarding was set once, but if I needed to modify it for something else it would've been done once per device.

        As to the one rule per application, can you do custom applications on it?

        TL:DR; I ran a computer shop with a vastly more complex set of constantly changing machines, never had issues with UPnP being firmly turned OFF.

  2. John Smith 19 Gold badge
    WTF?

    So why US only?

    Americans have statistically worse home security?

    Americans have (on average) faster broadband?

    Americans have more potential credit to harvest?

    But uPnP. ? I'd heard some gamers needed it back in the day but now?

    As always, if you don't need it why is it on? If you do need it why is it accessible from the far side of your router?

    1. Phil Kingston

      Re: So why US only?

      "So why US only?"

      First thought - the bad guys behind the malware are targeting Americans either for political reasons or because the malware they're trying to get running specifically targets American banks and their account holders.

    2. Anonymous Coward
      Anonymous Coward

      Re: So why US only?

      As a UK user, I'm not complaining :)

    3. Pascal Monett Silver badge

      Re: Americans have (on average) faster broadband?

      Um, no they don't. Check out the OECD report and scroll down to the Speeds section (5.5 actual speeds).

      The downloadable spreadsheet indicates the US in 10th (out of 34) position (with 10.513), behind Korea (23.6), Japan (14.6), etc.

      1. Charles 9

        Re: Americans have (on average) faster broadband?

        Yeah, but how many ahead of the US have comparable land mass and thus comparable infrastructure burdens? All the countries ahead of the US are smaller and/or (particularly the Scandinavian countries) have concentrated populations. Both make rollouts a lot easier whereas the US has to maintain cross-country rollouts across vast rural tracts and mountains to prevent weak links.

      2. John Smith 19 Gold badge
        Unhappy

        "The downloadable spreadsheet indicates the US in 10th (out of 34)"

        So not the broradband speed.

        Guess that leaves the other options.

    4. Manolo
      Stop

      Re: So why US only?

      Because American banks have not yet implemented 2FA on a big scale yet, whereas European banks mostly have?

      I was in Canada last summer and our host was puzzled when our 2FA thingamajigs came out when banking. All that's needed to clean out his bank account is username and password.

  3. Planty Bronze badge
    FAIL

    Is it fail Monday?

    This is nothing to do with UPNP. The exploit occurred the moment they ran the malicious code, not that the malicious code opened ports to download other code....

    1. Dan 55 Silver badge

      Re: Is it fail Monday?

      It is pretty much to do with UPnP, a protocol that lets any program on any device to punch holes in the firewall with no authentication or feedback.

      1. Wayland

        Re: Is it fail Monday?

        Any device inside a home LAN can punch through the firewall without uPNP. A home firewall is income firewall only, the outgoing is totally open. uPNP is handy but not essential to do this.

    2. Pen-y-gors

      Re: Is it fail Monday?

      Down votes a bit unfair. It's something to do with uPnP, but it can only work if some other flaw allows the malware onto the machine in the first place.

      Blaming uPnP is a bit like blaming the goalie whenever he lets a goal in - they had to get past 10 other players first!

      1. Anonymous Coward
        Anonymous Coward

        Re: Is it fail Monday?

        Yes, if the goalkeeper just step aside and lets the ball in, just because the attacker politely asked it.

        A "defense in depth approach" means you need several layers to work to limit an infection. The firewall is one of these layers. It it is made useless because anybody can open an hole without any approval or warning.

        There will always be events when other defenses will be bypassed. You'll need the remaining ones to be able to cope with the attack.

  4. DropBear

    Funny, I could have sworn it was "ConFIcker"...

  5. FlamingDeath Silver badge

    UPnP != security

    Those that have said that this story has nothing to do with UPnP are correct, it is behaving as it was designed, it receives a request from a device on the LAN to port forward a port to it, which it trusts without question.

    Side note: The service port 1900 has been known to be left exposed to the WAN, even for some of the "better routers" - source: http://www.draytek.co.uk/support/downloads/vigor-2860/older-firmware/firmware-3844/send/456-3844/821-readme-v2860

    If the router has UPnP on as default, which thankfully Draytek do not appear to do so, and its implementation has been borked, such as the case with the above firmware release notes, the rammifications of this should be self-explanatory, effectively there would be no distinction between internal LAN and external WAN. You might as well be on the DMZ (But any device!)

    Who to blame in this story?

    UPnP, for all its security-lacking faults...

    Or the user for not turning it off, and running malicious code...

  6. handleoclast
    FAIL

    Universal Plug 'n' Pwn

    Title says it all.

    Then again, looking at the people saying "yeah, but you have to exploit a local app first, so it's not uPnP's fault." You're wrong.

    If uPnP is disabled then an exploited app can't do an ET and phone home as easily. There are still ways it can communicate, but they're more work.

    And for the guy who said firewalls are inbound only, that applies to routers. Sensible firewalls on hosts also limit outbound traffic. Very sensible firewalls (it pains me to say this, but in this respect I have to classify Microsoft's firewall as very sensible) restrict outbound traffic based on the app initiating it. Makes it that much harder for ET to phone home if only Edge and IE are permitted to initiate traffic to port 80.

    1. Nick Ryan Silver badge

      Re: Universal Plug 'n' Pwn

      Makes it that much harder for ET to phone home if only Edge and IE are permitted to initiate traffic to port 80.

      Until you get to the most incredibly non-sensible security disaster by design that's svchost.exe. Good luck filtering by application when stupidity such this is provided as a core part of an operating system.

  7. EnviableOne

    SUPnP

    time for a secure version?

    verified port mapping sends a permission request to the origonating machine or dedicated management machine, handled in OS to generate a security request for "Program X" (identified by outgoing port) on Machine Y to talk to Internet (on ports)?

    1. Kiwi
      Thumb Up

      Re: SUPnP

      verified port mapping sends a permission request to the origonating machine or dedicated management machine, handled in OS to generate a security request for "Program X" (identified by outgoing port) on Machine Y to talk to Internet (on ports)?

      Sadly that'd work as well as UAC - not a problem in itself but failed due to users "click whatever makes the box go away without reading the text" or "I don't know what this is so I'll click "allow".

      Hopefully the GWX fiasco may've helped teach users to read stuff first, otherwise they get nasty shit on their machines, but that's not likely. And the malware writers would work to give their programs nice sounding names ("MSWindows.exe" rather than "pwnyourstupidmachineurfuckedlolz.exe" and nice explanatory texts ("We need this permission to continue to provide you a decent quality internet experience" vs "give us this so we can steal your PIN")

      A good idea, but doomed to fail at the hands of user stupidity :(

  8. Anonymous South African Coward Bronze badge

    Always have been disabling uPnP, will always do so. Don't need security issues.

  9. Lee D Silver badge

    SWITCH IT OFF.

    UPnP = automatic, unauthenticated port-forwarding of any external port to any internal machine port.

    If you don't know this already, and you work in IT, you've not looked into it at all.

    If you do know it, and left it enabled, more fool you.

    Literally, any user - even in internal VLANs in some cases - can send a UPnP request to port-forward your external port number 7483 (or whatever) to internal client SERVER1 port 139. Game over. Even if you disable SMB or have internal firewalls, there'll be SOMETHING you don't want exposed that they can expose (and even a port 139 that refused traffic could be used for damage as WannaCry showed!).

    Authentication modules were never really used for UPnP and finding compliant software/router combinations for such is rare. Add to that that ANY PROGRAM running as ANY USER on ANY LOCAL MACHINE can request the router to forward any arbitrary external port to any arbitrary internal port.

    If that doesn't scream "stupid design", I don't know what does.

    Additionally, to counter the usual argument, there are ZERO modern services that do not operate when you disable UPnP. Same as anything - if you're running a server you should be the one opening the port, not having it happen automagically without your knowledge. If you're not, then everything works just fine without port-forwarding, UPnP or anything else.

    1000 Steam games, Skype, Torrents, Bitcoin, everything I have ever installed works fine. At absolute worst if you're HOSTING a server (not just connecting to matchmaking servers which have open ports for just this reason) you put in a port-forward entry.

    Anyone who has not had UPnP disabled from day one on their network gateways deserves a slap. Even a cheapy Draytek will let you provide "Internet Connection Status" over UPnP while denying the "magic port-forward" stuff, but there's no reason for UPnP at all in that case anyway.

    1. Anonymous Coward
      Anonymous Coward

      "Additionally, to counter the usual argument, there are ZERO modern services that do not operate when you disable UPnP."

      Oh? One was cited above: having more than one active XBox One on the same LAN results in crosstalk problems UNLESS UPnP is enabled (probably because otherwise the ports are fixed and not configurable from the consoles).

      Also consider, without open ports, connecting to networks requires polling a known server. This raises two issues: one of availability (what if those servers go down) and one of Big Brother.

      1. Lee D Silver badge

        1) Rubbish.

        2) One XBox will get Open NAT, the other will get Strict NAT, and that only if you have them both working simultaneously.

        3) Because it *wants* to forward the following to your console:

        Port 88 (UDP)

        Port 3074 (UDP & TCP)

        Port 53 (UDP & TCP)

        Port 80 (TCP)

        Port 500 (UDP)

        Port 3544 (UDP)

        Port 4500 (UDP)

        You are opening up your DNS, HTTP ports and numerous others (including targets ripe for brute-forcing and automated HTTP scraping / metasploiting) to a fecking console.

        4) Damn niche problem.

        1. Charles 9

          Trusting matchmaking servers is a niche problem? Like I said, what if they're removed and what if they're Big Brothered? I'd call both legitimate and significant concerns.

        2. EnviableOne

          As an ex XBOX support monkey,

          that list is a bit on the long side, you will get away with TCP/UDP 3074 and TCP 88.

          500 and 4500 are IPSEC over UDP NAT-T (VPN)

          3544 is IPv6 over v4 Teredo tunneling

          80 is web traffic

          53 is DNS

          88 is kerberos (authentication)

          3074 is the only XBOX specific port the rest you would be using anyway, just by browsing the web

  10. Anonymous Coward
    Windows

    UPnP and banking malware

    '“Pinkslipbot” .. “allowing incoming connections from anyone on the Internet to communicate with the infected machine”.

    How exactly does the infected machine get infected in the first place? When are people going to learn to not use that open source socialist Linux and move to the industry standard Microsoft Windows.

  11. Missing Semicolon Silver badge
    Unhappy

    When we have IPv6

    .. uPnP won't even be necessary! :-)

    It will Just Work anyway.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like