Researchers find hacked routers used in “botnet” mostly in Thailand


Apparently tens of thousands of home routers are infected with malware being used by hackers to launch distributed denial-of-service (DDoS) attacks.

Security firm Incapsula discovered the router-based botnet while investigating a series of DDoS attacks against its customers that have been ongoing since December.

The firm’s researches tracked the malicious traffic to routers made by Ubiquiti Networks and distributed by Internet companies to their customers around the world. Those devices were found to have DDoS malware installed on them, the researchers said in a report last week.

Hacked routers exposed, majority in Thailand

The researchers say that the routers were not hacked through firmware vulnerability, but mainly because they were deployed in an insecure way – with their management interfaces exposed to the Internet via SSH and HTTP with default logins and passwords.

They found scripts running on the devices designed to scan the Internet for other routers that could also be accessed over the SSH protocol with default logins.

“Facilitating the infiltration, all of these under-secured routers are clustered in the IP [Internet Protocol] neighborhoods of specific ISPs that provide them in bulk to end-users,” the researchers said. “For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective”.

In the first version of the report, Incapsula said the group Anonymous were among those groups making use of the compromised routers. However, it said later that due to conflicting data, it was not confident that anonymous was involved in the hacking.

The problem of Internet companies giving insecure routers to their customers is widespread, and that hackers have exploited it many times over the years.

Besides the DDoS attacks, the hacked routers can also be used to redirect users to malicious websites, intercept banking sessions, steal credentials for online accounts and many other illegal activities.

Router CloseupIn January it was reported that Lizard Squad had set up DDoS for hire services using hacked home routers. Lizard Squad took responsibility for DDoS attacks against Sony’s PlayStation Network, Microsoft’s Xbox Live service, and several other websites.

Incapsula said it detected 40,269 different IP addresses from more than 1,600 Internet companies in 109 countries associated with the botnet and hacked routers. Most of those devices are in Thailand (64%), Brazil (215), the USA (4%) and India (3%).

The company also found 60 servers used by hackers to control the routers, most of them in China and the US.

Users should make sure their routers do not leave their management interfaces over HTTP or SSH to the Internet. There’s a tool on which can to scan a router’s IP addresses for open ports.

Make sure that you also change the default login details for your router, for example many routers (including those from TOT in Thailand) come with the default user name of admin, and password of admin. That’s a serious security hole, and you should make sure that the password is changed as soon as possible, if it’s not already done during installation.




  1. I cancelled my 3bb connection, and this was one of the reasons.
    Another, also related to the routers, was that they would try to run them at their fastest setting, and the router would regularly drop out, after 4 visits from their “engineers”, I called 3bb and told them to let their engineers know that setting the right “speed” on the modem was enough to make the connection stable (and not one iota slower either). They just were not interested: “so you don’t have a problem any more, thanks for calling, bye…”

  2. Pingback: Researchers find hacked routers used in “botnet” mostly in Thailand | hacker samurai