Spammer scum hack 100,000 home routers via UPnP vulns to craft email-flinging botnet Once again, a hundred thousand or more home routers have been press-ganged into a spam-spewing botnet, this time via Universal Plug and Play (UPnP). According to brainiacs from 360 Netlab, the malware exploits vulnerabilities in a Broadcom UPnP implementation to infect vulnerable gateways, and that means a load of router …
I've been watching the logs on our mail server and the login attempts went up to about 100/hour recently, it's dropped back now but probes on the firewall WAN sides have been steadily rising all year. Oddly enough (or maybe not) there's an inverse relationship between login attempts (they all fail) and the number of "new sale ordeer.txt.vbs" (sic) files that arrive every day.
It's a wild world out there.
Nonsense.
UPnP allows ANY network device to request ANY network port on ANY external connection be forwarded to ANY internal IP/port combination, with NO AUTHENTICATION. Not one vendor has properly implemented authentication.
Turn that crap off, on all your networks, because even just "internally" it's not safe, and not necessary.
P.S. I have 1000 Steam games, a Chromecast, and all kinds of kit and none of it complains one iota about not having UPnP enabled.
various tools that do some measure of hosting content that expect UPnP to be enabled - games that do peer to peer/self hosting multiplayer that don't readily provide which ports need to be exposed.
Not that you can't find out, but the hassle is likely enough to get a semi-tech-literate gamer to turn it back on, or someone using a peer to peer voip app etc.
Don't disable UPnP, at least not on the private side of the router - you need it for streaming audio etc, wireless speakers and so on.
UPnP is really nothing more than auto port-forwarding. All your gadgets that require outside access will still work by MANUALLY enabling port forwarding rules in your router. More work, more secure however since UPnP has long been a risk.
Easy enough for any long-time Reg reader. What am I supposed to do for friends/family? Everytime they buy a new IoT/download a new console game I have to do a service call and spend a few hours there. Have you ever tried to glean IP/PORT info for some IoT or console games?
Friend bought round XBox 360. It worked. No UPnP.
I have 1000 games on my Steam account. They all work. Online.
Skype, Whatsapp, hundreds of apps, phones, other people's consoles on games nights, you name it. They all work.
You only EVER *NEED* a port-forward if you are HOSTING content. You do not need it to game, join servers, browse servers or anything else. All major consoles have matchmaking services that can handle that side for you, no port-forwards required. And that's because only when you are actually being a server should you be punching holes in your firewall to let others in (rather than talking to a matchmaking server, or talking over an ESTABLISHED connection to another person which is what matchmaking servers set up for you).
Seriously. Turn UPnP off now. Play any game you like. See what happens. At absolute worst, XBox even has a term for it that shows up in the settings that nobody ever looks at... it basically means "you're behind a NAT, so I'll use a matchmaking service that knows that".
UPnP has several functions - one discovers things over the local network using local broadcast/multicast addresses. That's fine, and is on the client. One tells the local network that there is indeed a way to get to the Internet. That's fine, but often runs on the router and is entirely unnecessary on any modern operating system. Some advanced routers (e.g. Draytek) will have an option to leave that on, if you like. It's called "Connectivity Status". The other thing UPnP does is the port-forward thing. Every client asks for port-forwards. If your router grants them, this is by far not the first security problem with that. If you turn them off, the clients carry on regardless. Even weird stuff like videoconferencing, Steam matchmaking etc.
Before you start spreading nonsense saying that you "have to have UPnP", turn it off and see what happens. It's literally one click on your router.
Then tell me why you would ever want that functionality enabled on, say, a corporate network either, and why they turn it off from day one, and who's likely to be the biggest user of things like port-forwards and SIP / H232 / etc. protocols that all "need" that... yet it all works without UPnP.
Honestly, just try it. Nobody is even suggesting you have to ditch your local wireless devices, because they can use mDNS and UPnP etc. discovery over your local network, and connect to the Internet to do everything they need, without EVER HAVING to use it to punch as many holes in your firewall as they like.
TURN OFF UPNP ON YOUR ROUTER. Seriously. Not your clients, they can do what they like, because they can't punch holes in your security without the router's assistance and will just discover each other and work around it. And if you *didn't* know this, you really need to think why you're on an IT forum.
This post has been deleted by its author
Don't disable UPnP, at least not on the private side of the router - you need it for streaming audio etc, wireless speakers and so on.
Oh dear. I suspect you're confusing it with DLNA, which is often called uPNP by people who really should know better. The universal probe'n'pwn we (the grown ups) are talking about is the protocol that allows any old munchkin's half-arsed application to poke holes in your firewall/NAPT.
Icon says it all.
"Don't disable UPnP, at least not on the private side of the router - you need it for streaming audio etc, wireless speakers and so on."
FUD. You do NOT know what you are talking about!
You do _NOT_ need UPnP on a router. The only thing it does is OFFER! UP! A! SECURITY! CRATER! to _ANY_ process on the LAN side by ENABLING! A! LISTENING! PORT! on the public IP address... you know, like a COMMAND AND CONTROL PORT for MALWARE!!
UPnP is bad. Disable the @#$%'ing thing. Just like the article says at the end.
I did that, too, when I realized it was on the router [and had done so already on the winders boxen]. "HOLY $#!+ BALLS I better turn that off!". I did look for it, though... after having read all of the security warnings about it on El Reg and elsewhere.
I had a modem-router-wireless router that was supplied and (theoretically) supported by CenturyLink for over 5 years. In that time, there were exactly 0 firmware updates. Actual manufacturer wouldn't touch or discuss it (all responsibility for support is on ISP), and the ISP has no reason to bother creating updates.
I'm now using one I purchased myself, which (last I checked) also didn't have any firmware updates, but at least it has way more features, and wasn't particularly expensive. Definitely hunting down UPnP and verifying it's off, though.
Same here. Four year old Technicolor router. They released one firmware update six months after the router was shipped, since then nothing. When I log in to the admin interface on the router there is a helpful "Update Firmware" button. I click it and it asks me to browse to the firmware update file on my PC. Is it beyond the wit of domestic router manufacturers to provide a firmware update facility over https? I suppose if they aren't planning on producing any updates what would be the point.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
