A 100k routers around the world are on the botnet to conduct emails spam

by ·

The latest security report from Qihoo Security Labs shows that at least hundreds of thousands of home routers around the world have been infected with viruses and form a massive botnet.

All routers infected with the botnet use Broadcom’s chipset, and the company’s router chipset was found to have security vulnerabilities five years ago.

Considering the substantial security risks, the researchers found this vulnerability in 2013 and did not disclose it until 2017, when the vulnerability gradually surfaced.

More than 3.37 million active independent IPs:

Recently, Qihoo Lab found an abnormality in the port of TCP 5431 during daily monitoring. After traceability, it was found that this unusual feature can be traced back to January this year.

These anomaly scans contain up to 3.37 million independent IPs, but that doesn’t mean that so many devices are infected, but the IP is changing.

Even hundreds of thousands of active IPs mean that at least hundreds of thousands of home routers have been infected and organized into the botnet.

At the same time, the number of potential infections that have not been determined is more than 420,000, which means that these devices may have been infected before or will be infected next time.

Geographical distribution for the scanner IPs in the last seven days

Unlike most botnets that launch DDoS traffic attacks, this infected routing device does not launch traffic attacks on any website.

Only after analysis, the researchers at Qihoo Lab found that the botnet visited the email services provided by major Internet companies very frequently.

For example, Microsoft Outlook and Microsoft Hotmail, and Yahoo! Mail, which was acquired by US telecom operator Verizon.

Even more suspicious is that the botnet only connects to the TCP 25 port, which is an unencrypted port dedicated to sending mail to an email server.

The researchers concluded that the primary purpose of the botnet should be mass spam, and multiple IP transmissions can avoid being detected by the mail server.

Via: netlab

Tags: