From what I've seen, most new routers don't use UPnP or at least have it disabled by default. That's been the case with the last three routers I've installed at my home, and yet I have plenty of devices that are able to communicate with the outside world in a secure way.

I've only seen one [probably incomplete] list of devices that were hacked to launch that DDoS attack, and they all seemed pretty obscure.