So I found that Rapid7 (the Metasploit people) has some free tools to scan for this vulnerability. There's a "UPnP Router Scan" that customers can run from their browser (I think it gets a server to scan their IP address from the outside).
Also a "ScanNow for UPnP" tool (Windows .exe) that I am using to scan my IP blocks. It does require you to register, so probably it means some emails trying to sell their paid tools, but the scanner is working nicely and jeez Louise there are a bunch of them. Mostly DLinks and older Linksys routers. The scan my router tool does not require registration. http://www.rapid7.com/resources/free-tools.jsp
