The discovery was made by security firm Incapsula (recently acquired by Imperva), which first noticed attacks against a few dozen of its customers in December 2014 since when the firm estimates its size to exceed 40,000 IPs across 1,600 ISPs with at least 60 command and control (C2) nodes.
Almost all of the compromised routers appear to be unidentified ARM-based models from a single US vendor, Ubiquiti, which is sold across the world, including in the UK. Incapsula detected traffic from compromised devices in 109 countries, overwhelmingly in Thailand and router compromise hotspot, Brazil.
The compromise that allowed the Ubiquiti routers to be botted in the first place appears to be connected to one of two vulnerabilities. The first is simply that the devices have been left with their vendor username and password in its default state - perhaps a sign that some of these devices are older - allowing the attackers easy access.
The second and more unexpected flaw is that the routers also allow remote access to HTTP and SSH via default ports, a configuration issue which would be open sesame to attackers.
Once compromised, the attacks appear to have been used to inject a number of pieces of malware, mainly the Linux Spike Trojan, aka, 'MrBlack', used to configure DDoS attacks. The firm inspected 13,000 malware samples and found evidence of other DDoS tools, including Dorfloo and Mayday.
The C2s for these tools were found to be in several countries, with 73 percent in China and 21 percent in the US. This doesn't mean the attackers were based there, simply using infrastructure on hosts in those locations.
"Given how easy it is to hijack these devices, we expect to see them being exploited by additional perpetrators. Even as we conducted our research, the Incapsula security team documented numerous new malware types being addedeach compounding the threat posed by the existence of these botnet devices," said the firm's researchers.
The clustering of many of the compromised routers around specific ISPs points to an obvious issue of whose problem this is to fix. According to an Incapsula source Techworld spoke to, the router firm Ubiquiti believed the issue was that of the ISPs that almost certainly distributed these devices in their insecure state and they appear to have a point - for once this attack doesn't depend on a software flaw in the router itself.
The more intriguing issue is who might be using this botnet. According to Incapsula, it's not The Lizard Squad, even if the MO is very similar to that group's DDoS-for-hire service, Lizard Stresser. Oddly, however, the botnet's activity did appear to have flared up at the same time as the Lizard Squad which hints at some connection.
"If anything, they present us with several open questions about the possible evolution of Lizard Squad's botnet resources and the existence of copycats that are following in the groups' footsteps," said Incapsula.
Attacks on home routers have become common in the last three years, with motivations including DNS redirection as well as DDoS and eavesdropping. Usually, attackers exploit a flaw in the router firmware itself but attacks on default logins are an even simpler method.
Techworld and Tripwire recently published a Q&A guide to securing broadband routers.