FBI Recommends Router Reboot For Russian Malware "VPNFilter"
14 replies, posted
https://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/
Researchers from Cisco’s Talos security team first disclosed the existence of the malware on Wednesday. The detailed report said the malware infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link.
Later in the day, The Daily Beast reported that VPNFilter was indeed developed by a Russian hacking group, one known by a variety of names, including Sofacy, Fancy Bear, APT 28, and Pawn Storm.
The redundant mechanisms for delivering the later stages address a fundamental shortcoming in VPNFilter—stages 2 and 3 can’t survive a reboot, meaning they are wiped clean as soon as a device is restarted. Instead, only stage 1 remains. Presumably, once an infected device reboots, stage 1 will cause it to reach out to the recently seized ToKnowAll.com address. The FBI’s advice to reboot small office and home office routers and NAS devices capitalizes on this limitation.
Authorities and researchers still don’t know for certain how compromised devices are initially infected. They suspect the attackers exploited known vulnerabilities and default passwords that end users had yet to patch or change. That uncertainty is likely driving the advice in the FBI statement that all router and NAS users reboot, rather than only users of the 14 models known to be affected by VPNFilter
Just a reboot and boom fixed
that's some weak malware
Sometimes the weaker virus can be more effective as if *just restarting it* fixes it, maybe it'd evade detection longer. Maybe even make it into madagascar.
Either way most routers don't have a permanent storage device like a standard HDD or SSD. So the virus would have to run in volatile memory anyways.
Like a disease that can only infect you on a full moon after eating fried baloney whilst juggling bananas on a pogostick, you'll never see it coming!
Now you tell me.
I find it rather amusing that a country with a sophisticated network of crackers would create Malware that can be defeated by simply rebooting the router, as it's not as if people don't often do this when their router's screw up anyway.
The article states that the first stage of the malware persists after a reboot, but needs to phone home to fetch later stages.
Routers will still have some form of nonvolatile storage -- usually managed flash, like an EMMC or something -- to boot from.
They have very limited flash memory onboard, it's more than enough to boot a small Linux distro, a few binaries and /var/, so it's not too far-fetched that with a few vuln you could end up with a more persistent infection.
Funny stuff like this makes me remember that big faces and backbones for the internet are slowly realizing their security and QA sucks
FORGOTDOOR anyone?
Ah, well, you learn somthing new everyday
Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
Users should also change all default passwords, be sure their devices are running the latest firmware, and, whenever possible, disable remote administration.
There's no easy way to determine if a router has been infected. It's not yet clear if running the latest firmware and changing default passwords prevents infections in all cases.
Since you and others might never have came into contact with this- I'll leave this recommendation https://openwrt.org/
The default router software is absolute garbage, I really wouldn't rock it if you're still on ipv4
Just because "just restarting it" slows down some of the spread doesn't mean it's not a pretty serious threat- not to mention vector for something else more nasty.
Malware researchers say this thing has several stages, some of which are removed by reboot, some of which are not. Rebooting afaik just temporarily disables your router from phoning home.
According to the snippet in the OP, the domain the malware phones home to has been seized, and as such no longer functions as a C&C server for the malware. As a result, if you're affected, rebooting your router will clear out the second and third stage malware, and the first-stage malware will get blackholed trying to phone home, so aside from anomalous requests adding a bit of traffic to your network it's effectively "fixed", except that the vulnerabilities still exist in the unpatched routers and in practice it's pretty hard to get clueless people to update router firmware.
Sorry, you need to Log In to post a reply to this thread.