UPnP router a security threat?

So this was interesting... my mother's computer had been occasionally locking up for no apparent reason. usually it would happen overnight. I thought maybe the CPU was overheating or something, or maybe it was the harddrive spindown I had in the power saving properties. so, I changed the heatsink/fan from the aluminum celeron one to a copper cored OE pentium 4, turned off HDD spindown. No dice.

Anyway, I was poking through the configurations for the D-Link DI-604 that the computer is sitting behind, and there was a firewall rule that allowed any WAN traffic through to the IP that always gets assigned to the computer with the strange behaviour. Thing was, I sure as hell didn't set the rule, and I know my parents and sibling don't have the knowledge (or even the passwords) to set that rule. Anyway, I disabled the UPnP settings option, which eliminated that rule, and shortly after, the logs showed a series of SYN and ACK attack detections. I can only assume that there is also a trojan of some kind installed on the computer which used UPnP to set up that rule, which, of course, avast! does not detect. No crashes since, so we'll see.

Anyway, moral of the story, kids, is TURN OFF UPnP! I noticed on my other router that there were rules I didn't set, but were associated with LimeWire. It's frustrating that such a security risk is within windows, and that the router can even accept new firewall rules via this. Anyway, at least I now know to check the whole configuration thoroughly.

 

Doesn't sound like a Windows problem as much as UPnP (which, as far as I'm aware, isn't Windows-specific)

But isn't the point in uPnP to "hide" the fact that you're running on a NAT? That's only possible if the PC's are allowed to change some routing rules on the router. (If you weren't on a NAT, everything would be routed to you anyway, so you're just simulating that "intended" behaviour anyway)

I've never really used uPnP, so I'm not too sure how it works, and I might be wrong in some of this.

 

well, as far as I could figure, basically it will open ports in the firewall/NAT so that a program that needs a specific port works without intervention.

the point of the post was that it would seem that it can be used by malware to open all ports to a specific IP, as I know I didn't set up a rule to allow such traffic. perhaps it is a flaw in the D-Link router's implementation of UPnP, but anyway, I would suggest you turn it off in the router.

 

Isn't UPnP is turned ON by default in WinXP (under services)?

At least this is what this site is saying:
http://www.grc.com/default.htm

 

UPnP is a major security risk just has you found out. It's very important that you have a strong password on your you router and WPA. I have know of several who failed to change the def pw and their routers got hyjacked. A long with a NAS Server, was not up todate on patches. I know one friend had her pc hyjacked and turned into a spam bot one night when she failed to turn it off one night. I have a rule, if i'm not in front of the pc it does not need to be on, and they all go off at night. The only thing I let run is my NAS's. But I have firewall rule blocking all outside contact for my NAS's.

Some routers allow you can put a schedule to restrict access during your night time hours when nobody is suppose to be using it.

So what you experienced is not new. The hard part is now cleaning it up.

 

Yeah, I'm not sure what was actually being done, but at least there are now no incoming access ports on my edge router. Might be best just to wipe the affected computer, I suppose, as it could still be a zombie sending out traffic automatically. Is there any reliable way to check on this? I don't really want to sit there all night reading output from wireshark...

 

If a root kit was installed it will NOT be a easy task. There is no one utility that can detect them all. My experience is that it's faster to reload than to clean it up. I generally make a ghost set for backup, just encase I don't get all of the data backed off. I'm lucky enough to own a Snap4500 to backup to. Then scan everything that goes back on. If you do any scanning you will have to use web based utilities. Because most add an exception so it will not be detected. I would be more concern about key loggers than the spam, neither one is desirable.

Just make sure you do the long format and not the quick when you reinstall. I had to reload one of my pc a month ago. The windows wasn't bad it was installing all of the applications that took time.

 

Wouldn't it be easier to just install a software firewall and run a report the next morning to see the activity?

I have a shared internet connection (wired). The owner got a nasty infection that infected the router (according to him), but it never got to me. I'm assuming because of my software firewall. He didn't have one installed on his NB at the time. Does now.

 

Just so I'm all clear, the router has default behavior of dropping incoming connection requests (although it still gives a "Closed" to the IDENT port,) and UPnP settings changes are disabled, and just to be extra sure, I have changed the admin password again on the router - in case there was a keylogger and I accessed the router from the affected box. Oh, and any remote router management is and always was disabled.

Given all that, is it possible that an outside attacker could re-gain control of the computer? The strange behaviour hasn't resurfaced since (a week or so,) which is good.

 

It's possiable that you have shut it access down. But it could just be sleeping waiting for a chance to leap.

Provide you have shutdown it's access, have you located the software? If you have located the root of the source and have removed it, it should be good. If not some will become active as you use the net piggy-backing on your connection.

 

yeah... that's what I figured, that it could still be sending out if it's a keylogger or something...

well, I think I need to wipe both of my parents' computers... the one XP installation is at least two years old, getting pretty kludgy, and it's had virus/spyware infections in the past that I've cleaned out.

anyway, thanks for the info/advice.