Malware of the week is a router nasty known as VPNFilter.
In jargon words, VPNFilter is an IoT botnet that has apparently shown up on at least 500,000 consumer and small business routers.
But that single sentence raises a lot of issues! What’s an “IoT botnet”? Is that worse than regular malware? How does this differ from a Windows or Mac attack? Am I at risk? How do I tell if I’m infected? What if my ISP supplied my router and I can’t change it? What else are the crooks up to in the big bad world of router malware?
We went on Facebook Live to answer the big VPNFilter question, “What to do?”
Can’t see the video directly above this line, or getting an error such as “no longer available”? Watch on Facebook instead.
No sound? Click the speaker icon in the bottom right to unmute.
Note. With most browsers, you can watch without having a Facebook account or logging in.
Internet Explorer users may need to use https://www.facebook.com/SophosSecurity/videos/ instead.
FURTHER READING
- VPNFilter – is a malware timebomb lurking on your router?
- VPNFilter botnet: a SophosLabs analysis
- Set up your own VPN at home with the Sophos XG Firewall Home Edition (free!)
Image of router inside the TV from Wikimedia Commons.
John
I could not view your presentation as Facebook is not allowed, corporate policy! Shame your products are great, facebook isnt!
Paul Ducklin
We have to host our live videos *somewhere*. We chose Facebook because [a] we have more than 250,000 followers there [b] their video streaming system is excellent [c] they allow viewers to watch without logging in or even creating an account [d] you can’t please everyone all the time.
We know that a small minority either can’t or won’t watch on Facebook… but whichever video service we choose, someone won’t like it or will complain its blocked at work. (For example, I’d be astonished if a company that blocked Facebook would at the same time allow access to YouTube).
From your comment it sounds as though you wouldn’t watch us on Facebook, even if the company would let you, because you don’t like Facebook anyway. I respect that, but I’m not convinced that Facebook is sufficiently bad that we ought not to use them for anyone else’s benefit.
Anna Nyms
What about Youtube? I don’t have a Facebook account.
Anonymous
You don’t need a Facebook account. That’s stated in the article. Click on the video. It plays. That’s it. It’s basically just like YouTube only better – there isn’t a Google ad at the beginning for a hair care product you’re not interested in.
Mahhn
We too have a policy of blocking FB at work.
Fingers crossed some day they will use youtube and classify/tag them as Educational.
Maybe after the EU blocks FB for not cooking 3.14 they way they want.
Paul Ducklin
If by “they” you mean “us”, my own opinion is that Facebook makes a better place for these live videos than YouTube. We could look at doing the live stream and then publishing the video elsewhere as well. But the realtime comments are part of the fun, and we do want a bit of fun in these videos…
Mahhn
With 250,000 followers, and having real time discussions during a live broadcast, I completely understand the effectiveness and practicality of using FB. (I have to say “they”, as I don’t work at Sophos).
“and then publishing the video elsewhere as well” well, it would shut me up lol and maybe other people that might miss it on FB would also get to see it. If you do, please categorize it as Educational. Corporate web filters I’ve worked with make strong use of that feature – to allow training material that they and business partners publish, to be seen by employees.
Anonymous
Can we get a TooLongDidntWatch summary of the video (I.e. skip all the intro and just write up the steps we need to follow to find out if we are impacted)?
Can’t watch the video while I’m at work
Paul Ducklin
The thing is…
…it’s not quite as simple as [1][2][3][4], because of the huge variety in routers, OSes, firmwares, vendor attitudes, and so on. If you can’t watch the video, you can take a look here instead (or until you can watch it :-)
https://nakedsecurity.sophos.com/2018/05/23/vpnfilter-is-a-malware-timebomb-lurking-on-your-router/
(The video is meant to be for people who like to consume content in other ways than just the written word. Lots of our readers like the occasional video or podcast as well as regular-style articles.)
likefarming
Does an infected router put the devices behind it at risk? That wasn’t really addressed.
Paul Ducklin
In a word, yes. For more insight on the sort of things this malware tries to do with traffic passing through it, try the “further reading” links above:
https://nakedsecurity.sophos.com/2018/05/23/vpnfilter-is-a-malware-timebomb-lurking-on-your-router/
https://news.sophos.com/en-us/2018/05/24/vpnfilter-botnet-a-sophoslabs-analysis/
There’s one tip in the first article above (the tip about “sticking to HTTPS”) that I was supposed to mention in the tips at the end of this video…but I kind of ran out of time by getting a bit excited about the whole botnet/zombie scene in the middle of the video. Sorry about that.
The deal with that tip is that if you use HTTPS between your browser and the website you’re visiting, even an infected or otherwise malicious router can’t easily sniff inside the encrypted traffic. Likewise if you use a VPN that terminates *inside* the router, thus the mention above of the free Sophos XG Firewall Home Edition. So web encryption is your friend.
To answer your question briefly: if crooks “own” your router (and remember that this malware can be updated tomorrow to do bad stuff it can’t yet do today) then they can mess with your network very generally, and that implies risk to every device that relies upon the booby-trapped router.
Crooks who control your router can redirect traffic to fake websites by giving dishonest DNS replies; they can stop you getting security information or updates by silently dropping packets from known security sites; they can tamper with non-HTTPS web traffic so you see fake news or download dodgy files; they can send spam straight from your router and get you blocklisted by your ISP even though all your laptops and desktop computers are pure as the driven snow; they can join you into a DDoS (distributed denial of service) attack against someone else’s website and get you in trouble; heck, they can mess up your router settings so that all your devices behind it get cut off, just like that.
Hope that didn’t spoil your day, but, yes, the answer is “Yes” :-(
Anna Nyms
According to this article [Tom’s Hardware URL removed] the FBI now has control of the server for the botnet as of a day ago.
“The Justice Department also advised anyone who owns SOHO or NAS products that may have been infected by VPNFilter to restart their devices. That should temporarily remove the second stage of the malware from the device, and even though the first stage will linger and attempt to reinstall the second stage, the FBI’s seizure of the domain used by VPNFilter’s command-and-control infrastructure should block those efforts.”
I restarted by home router last night. That should remove the 2nd and 3rd stage plugins if any were installed. I’m planning to reset the router to factory and upgrade any firmware that needs it on this upcoming holiday weekend.
KB
Well done boys! Great information!
Paul Ducklin
Thanks for your kind words. We appreciate the feedback.