The VPNFilter router malware, a giant-sized IoT botnet revealed two weeks ago, just went from bad to somewhat worse.
Originally thought to affect 15-20 mostly home/Soho routers and NAS devices made by Linksys, MikroTik, Netgear, TP-Link, and QNAP, this has now been expanded to include at least another 56 from Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
Talos gets this information by trying to determine the models on which VPNFilter has been detected but given the size of that job (affected devices number at least 500,000, probably more) the list is unlikely to be complete.
The updated alert confirms that VPNFilter has the ability to carry out man-in-the-middle interception of HTTP/S web traffic (something that SophosLabs own investigation of the malware concluded was highly likely), which means that it is not only able to monitor traffic and capture credentials but potentially deliver exploits to network devices too.
Home routers have become a big target but malware able to infect so many of them is relatively rare. The last home router scare of this multi-vendor magnitude was probably DNSChanger which took years for anyone to notice, having first emerged in 2007.
As VPNFilter is more potent – there doesn’t seem to be a simple way to detect it for a start – the safest assumption is that owners of any home router from one of the affected vendors should take immediate precautions.
But what precautions?
The chances of VPNFilter infecting a router are low given the number of infections detected by Talos relative to the huge number of home routers. However, it’s a good idea to brush up on the below anyway.
Simply turning your router on and off is not enough. Elements of VPNFilter can reportedly survive this, and reinstate infection. That leaves owners with only one option – a hard reset which takes the router back to its factory state.
After making sure you have a wired Ethernet connection to the router, there are two ways to do this – while connected to the internet or, for extra security, while disconnected from it. If choosing the latter option, you’ll need to download the latest firmware image manually before starting.
If opting for the easier option (a reset while connected to the internet), the router will guide you through the process of setting up a new internet connection, before doing the following:
- Updating to the latest firmware version. This is the most important part of the puzzle because these days routers are prey to security vulnerabilities that require patching on an ongoing basis.
- Offer the option to reinstate router settings from a backup configuration file. If these were saved before hitting reset, this will save a lot of time manually configuring them from scratch.
This is also a good time to change the router’s password and username. Plus, you should check the router to see whether any of the following interfaces are turned on when they don’t need to be:
- Remote web admin
- Port forwarding
- Unused services such as Telnet, Ping, FTP, SMB, UPnP, WPS, and remote access to NAS.
- Turn on logging – this might provide clues of future infection.
If your router is getting long in the tooth or no longer receiving regular firmware updates, consider buying a new one after assessing which vendors have a good record of patching vulnerabilities within a reasonable timeframe.
In a way, VPNFilter isn’t a bad enemy to have. It doesn’t appear to use any new zero-day vulnerabilities and relies on old ones or weak passwords and usernames. That’s a reminder of the importance of looking after routers in the same way you would a Windows or Mac computer.
For more information about VPNFilter and how to remove it watch our VPNFilter Facebook Live video or listen to the short, sharp podcast below:
LISTEN NOW
(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)
If you want to know more about how the malware works, SophosLabs has conducted an extensive, technical analysis of VPNFilter available in two parts: VPNFilter botnet: a SophosLabs analysis and VPNFilter botnet: a SophosLabs analysis, part 2.
Dinatekno
What if you use DD-WRT on a Linksys router? Can it still be affected?
Paul Ducklin
Depends on whether there are any security holes by which the crooks can get in, including software vulnerabilities or poor passwords. It’s possible that this malware might not work (for technical reasons – different file system layout, for example) on dd-wrt but I haven’t tried it.
(I haven’t used dd-wrt in ages. Their website isn’t in a great state at the monent – the database of supported routers has been offline for some time and the generic downloads page seems to have firmware that is 10 years old already.)
Dinatekno
Thank you! I noticed their database has been offline forever. Guess I’ll just reflash.
MikeP
I use a BT supplied VDSL router (we use a FTTC service) so use a version 5 router from them. Are these affected? If so, how to update it?
Paul Ducklin
You’ll have to ask BT…
Ed Gallagher
I would recommend flashing your router with DD-WRT firmware. DD-WRT is an Open Source firmware with an incredibly active development team. DD-WRT is impervious to VPNFilter and related bugs. Flash your router yourself or purchase a pre-flashed router from FlashRouters.
[URL removed]
John
As far as I know, DD-WRT hasn’t been updated or had a new release for 10 years. Assuming that’s true, not a good recommendation!
Paul Ducklin
The dd-wrt website isn’t in a great state at the moment – the list of supported routers has been offline for some time and the firmware download pages it sends you to seem to be 10 years old. As @John said above, not a good recommendation.
You might want to try OpenWRT instead – that project had a bit of a schism recently, splitting into two camps (OpenWRT and LEDE) but the two tribes seems to have settled their differences and are working as one again. You need to check if your exact router model is supported, though, and you probably need a separate modem to connect your router to the phone line, so it’s a bit of a science project.
Eric
I’ve kept an eye on it but haven’t actually used DD-WRT for a while – it’s still under decently active development but you have to check the wiki and/or forums for your router version and access the download folder areas directly rather than through the (somewhat) friendlier database or anything like that.
[URLs removed]
Definitely not as user-friendly as it used to be with the database and I’m not sure how directly their work compares to OpenWRT. This is mostly an “It’s alive!” post, not a general recommendation.
Mark S Wieland
So, how do we know which vendors have a good record of fixing vulnerabilities?
Paul Ducklin
I suggest having a look round the vendor’s download page. If they have a list showing regular updates and provide release notes with each update to document what changed (and better yet why) then that is a good starting point… it implies they are actively tracking the security situation.
John E Dunn
One way is to choose a well-known example from a vendor’s product range and take a close look at the firmware updates offered for it.
For example, if you go to the Asus website for the very popular AC68U, you’ll see three updates since April, excellent for a product launched in 2013. There is also a clear changelog so you can see which CVEs and flaws have been fixed (understand we’re not recommending this company or product simply using it to illustrate the point).
MossyRock
Before it was said that flashing the router with the latest firmware update would be sufficient to get rid of this malware. Am I reading now that this isn’t enough – that I must do a hard reset back to factory state first?
Paul Ducklin
For most routers, my understanding that a factory reset is probably not enough – AFAIK on most routers this resets the configuration but not the installed software components. A firmware update ought to rewrite the installed operating system, program files, scripts and other components, thereby implicitly overwriting the malware files that were added.
MossyRock
Thanks, but I’m still not clear on this. Must I do a factory reset AND then do a firmware update, or it is sufficient to JUST do a firmware update without a factory reset?
Paul Ducklin
As far as I can see, a firmware update alone should be enough in this case, as it will almost certainly overwrite the actual malware binaries (the code that makes up the malware).
I haven’t analysed this malware myself, so I have no idea why some people are advising a factory reset…
…and anyway, a “factory reset” seems to mean different things to different devices.
My own interpretation of the term has always been that a “factory reset” should mean that everything gets wiped and the device is returned to how it was when you first acquired it, possibly including a raft of security *downgrades*, but my Android phone has a popular device manager installed where “factory reset” leaves the OS and all my apps untouched, but simply wipes out my data and any temporary stuff generated by running the OS so that at the next reboot it asks me to set up the device again with my country, keyboard, Google account, etc.
In other words, a “factory reset” means different things to different vendors, and I’ve never myself experienced a “factory reset” that achieved the same outcome as a firmware upgrade to the latest official release.
YMMV, but with my personal hat on (see picture at left :-) I wouldn’t treat a factory reset as a necessary or sufficient remediation for this particular malware.
MossyRock
Thank you, Paul!
Björn
A lot of blabla bit where is the list with routers affected by VPNFilter? If the title says list I also expect a list.
Paul Ducklin
Remember that the list is not exhaustive. It’s just representative. You could have a listed router that is uninfected because you set it up conservatively; you could have an unlisted router that is infected. So don’t apply our precautions (reboot, then reflash, then reconfigure passwords) only if your router is on the list.
Having said that, you can find the list on the Cisco page that we linked to at the start of the article. There’s not much point in us repeating it here when you can just click through to it because [a] it’s Cisco’s list (they’re a router company and are actively measuring this) [b] the list is likely to be updated so you might as well look at the latest version than a frozen-in-time copy.
jim
So, given all the information about current modem-routers by name brand, how about those of us still on an ADSL line from a legacy provider (ATT) that provided us with no-name equipment that hasn’t had a software upgrade in the last 5 or 6 years?
And skip the attitude in replying; our choice is this crap or Speculum and it’s even greater crap.
Paul Ducklin
Seems like you answered your own question in your choice of words in the final sentence.
If you are forced to run a specific router that the ISP manages and that is vulnerable, I’d put a product I did trust (Sophos XG Firewall Home Edition, anyone?) between my router and my network.
jim
Hmm. Let’s see, where did I leave that spare PC…oh, that’s right I don’t have one! I appreciate the thought Paul, but even if I did have a spare PC lying around (a still functional one that is) I doubt that I could figure out what to do with it and your company’s SXGFHE since I haven’t found any sites that explain just how to do all that.
Guess I’ll just have to do the daily reboot and cross my fingers. Except when typing that is.
Pat.
Thanks for the post, I am aghast at the lack of real information and support on this one, if not for sites like yours many wouldn’t even know about it. Just curious, considering the affected component is the router, would a VPN connecting to an external site mitigate the damage the router could do since the traffic would be encrypted at both points outside the routers sphere of influence?
Paul Ducklin
The purpose of a well-configured VPN (one that goes from end to end under your control) is to let you to pass traffic through untrusted hops on the public internet – after all, if your own router isn’t a rogue, the next one might be…
…so a VPN can indeed protect you from your own router as much as from the next guy’s router (provided that the VPN encryption doesn’t start on your infected router, of course).
The reason why it’s community spirited to patch your router if you think you might be infected *even if you don’t care about your own traffic* is simply that when the crooks get a foothold on your router then you have essentially given them a free pass to use your internet connection directly for criminal purposes. (One reason crooks love routers is that they’re always on line!)
If you contribute to the CPU power and bandwidth of a zombie network – whether it’s used for sending spam, DoSsing other people’s websites, spying on friends and guests that use your LAN in good faith, or any other dodgy purpose – you’re still making things a bit worse so please patch if you can, even if you’ve got a watertight VPN for your own network traffic…
Raffles
I installed the latest firmware from the linksys website [Ver.4.30.18 (build 6)] but now I can’t log into the router, it tells me that the username and/or password is incorrect. I tried everything from the admin default to the last username and password which worked and is stored in the Firefox password manager. I guess I’m going to have to reset it.
jake
I highly highly consider using ASUS Merlin Firmware
Yaru
So, regarding your recommendation of reflashing the firmware: if I have the latest firmware available from before this started, a strong password, no alerts on Shields up!, my router isn’t on the list of affected devices, and it has no known vulnerabilities (or al least there aren’t results on every vulnerability database I check), should I still reflash it? I feel about uneasy about it because things have a long story of breaking forever when I try to mess with them.
Paul Ducklin
Good question – I reckon you are good. At least, with my “home user hat” on, if I were you, I wouldn’t reflash. I’d back myself to be OK.