VPNFilter – is a malware timebomb lurking on your router?

Thanks to Cisco Talos and the Cyber Threat Alliance for providing SophosLabs researchers with early access to samples of and information about this malware.
Researchers at Cisco Talos just published a report documenting a giant-sized IoT botnet known as VPNFilter.
More than 500,000 devices around the world are said to be infected with this malware – most of them are consumer internet routers from a range of different vendors, with some consumer NAS (network attached storage) devices known to have been hit as well.
To explain.
IoT is short for internet of things, and refers to all those internet-connected devices in our lives that are small enough, and cheap enough, and everyday enough, that we forget they’re really just tiny computers in much the same way that our laptops and mobile phones are computers.
As a result, IoT devices often end up attracting little or no attention to cybersecurity while they’re being designed, when they’re shipped, or after they’re installed.
And a botnet refers to a robot network, also known as a zombie network.
That’s where crooks implant malware on thousands, or even hundreds of thousands, of computers at the same time, in such a way that they can secretly send programmatic commands to each of them – one by one, or all at the same time.

How bots work

Typically, each bot in the botnet regularly calls home, using some sort of network request, to one or more servers operated by the crooks.
On calling home, each zombie computer fetches instructions on what to do next, instructions that often include commands such as “here is a new software module to install and add to your menagerie of dirty tricks.”
In other words, zombie networks are not only able to mount large-scale simultaneous attacks all across the globe, they can also adapt and update themselves to include malware capabilities that the crooks feel like adding later on.
In some cases – and this newly-announced VPNFilter malware is one – zombies include a special command to implement what you might call a “run, the cops are coming!” policy, where the malware deliberately kills itself and sometimes the device on which it’s running.
Not only does VPNFilter include a kill command, but, according to Cisco, the kill command purposely overwrites the flash memory of the device.
Home routers sometimes can’t be used at all after the flash memory is wiped out (at least, not without soldering special connectors onto the motherboard or making some sort of fiddly internal hardware modification), because the bootup software needed to recover the device is itself stored in the flash memory.
Devices in this state are said to be bricked, a metaphor that means the device is now about as useful as a brick – you can use it to prop a door open, but that’s about all.

When SophosLabs examined this malware, it found that the kill command instantly shut down the bot, but didn’t try to wipe the device. The flash-wiping code was present in the compiled malware code, but never used. You can read the full SophosLabs VPNFilter botnet analysis on the Sophos News website.
The VPNFilter malware also includes an auto-update component, allowing its functionality to be updated at will; one of the add-on malware modules found so far is a so-called packet sniffer.
Sniffers tap into the network software inside the operating system so that they can monitor network packets, looking out for data of interest in any network traffic that isn’t encrypted.
VPNFilter looks out for various data patterns, including web requests associated with known vulnerabilities, login requests that indicate password-protected web pages where the password is blank, and unencrypted web traffic that might contain usernames and passwords.

What to do?

The problem with IoT devices such as routers is that they’re plugged directly onto the internet by design.
For many home users, they act as a combined internet modem (plugged into the phone line on one side), router (they’re plugged into the LAN on the other side), firewall and wireless access point.
Yet many routers are effectively a “closed shop”, rather like an iPhone: you’re not supposed to be able to access the files, modify the software, make your own tweaks, or apply your own updates or improvements.
Some ISPs insist that you use their routers to access their service, so you can’t even switch out the router model they provided for one of your own choice.
Nevertheless, whichever router you use at home or in your business, it’s time for a router healthcheck.
Don’t delay – do it today!

• Check with your vendor or ISP to find out how to get your router to do a firmware update. Many routers do receive security updates, at least from time to time, but they’re often not downloaded or installed automatically. You typically need to login to the administration console and click some sort of [Check now] button. If you live in a country with daylight savings, why not do an update check on all your IoT devices every time the clocks change? Crooks routinely scan the internet probing for routers that have unpatched security holes that they already know how to exploit. Don’t make it easy for crooks to implant malware: patch early, patch often!
• Turn off remote administration unless you really need it. Many routers let you access the administration interface from the internet side as well as from the LAN side of the device. Some even come like that out of the factory. Crooks routinely scan the internet probing for login screens that aren’t supposed to be visible and are thus less likely to be secured properly. Don’t make it easy for crooks to find your devices and start guessing away at your password.
• Pick proper passwords. Many routers ship with a pre-set administrator password, and some routers don’t force you to pick a new password when you first set them up. Crooks have extensive lists of default usernames and passwords for all sorts of internet devices. Don’t give crooks the keys to your castle by sticking with a password that they can figure out easily.
• Stick to HTTPS for as much web browsing as you can. Generally speaking, web connections that show up with a padlock in your browser are encrypted end-to-end, so they can’t be sniffed out along the way by an untrusted internet device, whether that’s due to a malware infection on your own router, a rogue ISP in your network path, or a surveillance-hungry country that your traffic happens to traverse.

By the way, as far as we can see, performing a firmware refresh on many home routers will wipe the VPNFilter malware, along with many other strains of router malware.
In other words, even if you are already up-to-date and don’t think your device is infected, a firmware refresh will give you a double peace of mind: your router will be up to date and you’ll be in a known-good state.

Want to run a VPN at home for added security, where your VPN starts and terminates inside your IoT router and therefore can’t be sniffed by malware on the way? If you have a spare computer handy, why not try the Sophos XG Firewall Home Edition? You get a free licence for everything the product can do, including anti-virus, web filtering, email security, intrusion prevention, plus a fully-fledged VPN.