Skip to content
Naked Security Naked Security

VPNFilter – is a malware timebomb lurking on your router?

A Cisco paper reports on zombie malware that has apparently infected more than 500,000 home routers.

Thanks to Cisco Talos and the Cyber Threat Alliance for providing SophosLabs researchers with early access to samples of and information about this malware.
Researchers at Cisco Talos just published a report documenting a giant-sized IoT botnet known as VPNFilter.
More than 500,000 devices around the world are said to be infected with this malware – most of them are consumer internet routers from a range of different vendors, with some consumer NAS (network attached storage) devices known to have been hit as well.
To explain.
IoT is short for internet of things, and refers to all those internet-connected devices in our lives that are small enough, and cheap enough, and everyday enough, that we forget they’re really just tiny computers in much the same way that our laptops and mobile phones are computers.
As a result, IoT devices often end up attracting little or no attention to cybersecurity while they’re being designed, when they’re shipped, or after they’re installed.
And a botnet refers to a robot network, also known as a zombie network.
That’s where crooks implant malware on thousands, or even hundreds of thousands, of computers at the same time, in such a way that they can secretly send programmatic commands to each of them – one by one, or all at the same time.

How bots work

Typically, each bot in the botnet regularly calls home, using some sort of network request, to one or more servers operated by the crooks.
On calling home, each zombie computer fetches instructions on what to do next, instructions that often include commands such as “here is a new software module to install and add to your menagerie of dirty tricks.”
In other words, zombie networks are not only able to mount large-scale simultaneous attacks all across the globe, they can also adapt and update themselves to include malware capabilities that the crooks feel like adding later on.
In some cases – and this newly-announced VPNFilter malware is one – zombies include a special command to implement what you might call a “run, the cops are coming!” policy, where the malware deliberately kills itself and sometimes the device on which it’s running.
Not only does VPNFilter include a kill command, but, according to Cisco, the kill command purposely overwrites the flash memory of the device.
Home routers sometimes can’t be used at all after the flash memory is wiped out (at least, not without soldering special connectors onto the motherboard or making some sort of fiddly internal hardware modification), because the bootup software needed to recover the device is itself stored in the flash memory.
Devices in this state are said to be bricked, a metaphor that means the device is now about as useful as a brick – you can use it to prop a door open, but that’s about all.

When SophosLabs examined this malware, it found that the kill command instantly shut down the bot, but didn’t try to wipe the device. The flash-wiping code was present in the compiled malware code, but never used. You can read the full SophosLabs VPNFilter botnet analysis on the Sophos News website.
The VPNFilter malware also includes an auto-update component, allowing its functionality to be updated at will; one of the add-on malware modules found so far is a so-called packet sniffer.
Sniffers tap into the network software inside the operating system so that they can monitor network packets, looking out for data of interest in any network traffic that isn’t encrypted.
VPNFilter looks out for various data patterns, including web requests associated with known vulnerabilities, login requests that indicate password-protected web pages where the password is blank, and unencrypted web traffic that might contain usernames and passwords.

What to do?

The problem with IoT devices such as routers is that they’re plugged directly onto the internet by design.
For many home users, they act as a combined internet modem (plugged into the phone line on one side), router (they’re plugged into the LAN on the other side), firewall and wireless access point.
Yet many routers are effectively a “closed shop”, rather like an iPhone: you’re not supposed to be able to access the files, modify the software, make your own tweaks, or apply your own updates or improvements.
Some ISPs insist that you use their routers to access their service, so you can’t even switch out the router model they provided for one of your own choice.
Nevertheless, whichever router you use at home or in your business, it’s time for a router healthcheck.
Don’t delay – do it today!

  • Check with your vendor or ISP to find out how to get your router to do a firmware update. Many routers do receive security updates, at least from time to time, but they’re often not downloaded or installed automatically. You typically need to login to the administration console and click some sort of [Check now] button. If you live in a country with daylight savings, why not do an update check on all your IoT devices every time the clocks change? Crooks routinely scan the internet probing for routers that have unpatched security holes that they already know how to exploit. Don’t make it easy for crooks to implant malware: patch early, patch often!
  • Turn off remote administration unless you really need it. Many routers let you access the administration interface from the internet side as well as from the LAN side of the device. Some even come like that out of the factory. Crooks routinely scan the internet probing for login screens that aren’t supposed to be visible and are thus less likely to be secured properly. Don’t make it easy for crooks to find your devices and start guessing away at your password.
  • Pick proper passwords. Many routers ship with a pre-set administrator password, and some routers don’t force you to pick a new password when you first set them up. Crooks have extensive lists of default usernames and passwords for all sorts of internet devices. Don’t give crooks the keys to your castle by sticking with a password that they can figure out easily.
  • Stick to HTTPS for as much web browsing as you can. Generally speaking, web connections that show up with a padlock in your browser are encrypted end-to-end, so they can’t be sniffed out along the way by an untrusted internet device, whether that’s due to a malware infection on your own router, a rogue ISP in your network path, or a surveillance-hungry country that your traffic happens to traverse.

By the way, as far as we can see, performing a firmware refresh on many home routers will wipe the VPNFilter malware, along with many other strains of router malware.
In other words, even if you are already up-to-date and don’t think your device is infected, a firmware refresh will give you a double peace of mind: your router will be up to date and you’ll be in a known-good state.

Want to run a VPN at home for added security, where your VPN starts and terminates inside your IoT router and therefore can’t be sniffed by malware on the way? If you have a spare computer handy, why not try the Sophos XG Firewall Home Edition? You get a free licence for everything the product can do, including anti-virus, web filtering, email security, intrusion prevention, plus a fully-fledged VPN.

22 Comments

I can’t seem to reach the Talos site from my network to see the original post. But I am curious to know if the actual model numbers of the affected devices have been made available. Those four vendors manufacture many different models and narrowing down who could be affected is probably a better approach to security than the blanket “you should refresh your firmware” advice given to the less-than-computer-literate.

I disagree. Cisco published a partial list of models they know of where this malware was confirmed, for completeness. (The link’s in the article. I’m not going to copy and paste the list here on the grounds that Cisco might choose to update it which would leave my copy out of date, and anyway it’s their research, so give them the click-love and get the list there if you want it.)
But patching *only if you are on that list* is a false sense of security. As far as we know, these infections don’t depend on your router being unpatched – that merely makes infection by this or any other malware more likely.
So patching isn’t enough on its own, and it isn’t something you should do specifically for this malware, or specifically because you are on the router list this time.
Patching is part of our “router lifestyle” advice, and this malware outbreak is handy proof of why that advice is sound. That’s the story here.
Simply put, it’s a good idea to know how to apply firmware updates from your router vendor, and it’s the people you describe as “less-than-computer-literate” who would benefit from asking their vendors how that process works.
What we don’t want is your “less-than-literate” people inferring that patches are irrelevant to them simply because they don’t have one of the routers on Cisco’s list in this specific case.

Note. Some commenters are desperate to “fill in” the list of affected routers by copying lists from other sites, which in turn have copied the list from Cisco.
I don’t see any value in that so I am not approving those comments – you might as well get the list from the horse’s mouth, where it is more likely to be correct and up-to-date. So I’ll copy and paste the link from the article above instead:
https://blog.talosintelligence.com/2018/05/VPNFilter.html
Also, patching *only because you have one of the routers on the list* is silly. The list is just Cisco’s telemetry of devices that are known to have been infected in this case.
As Talos the researchers wisely say (this part I will copy and paste!):
“Given our observations with this threat, we assess with high confidence that this list is incomplete and other devices could be affected.”
Patch your router anyway because you should patch your router anyway.

How do you know if you are infected? What tools can you use to check?

That’s tricky because many, perhaps even most, routers deliberately don’t let you get the sort of access you’d need to do a virus scan. We covered this issue in a Facebook Live that we published after this article. You can watch it here:
https://www.facebook.com/SophosSecurity/videos/10155623922305017/

Does having converted from factory firmware to OpenWRT make any difference on this?

Yes, I think it does. One of our researchers tried infecting an OpenWRT system. No go! AFAIK there’s a bit of an impedance mismatch between the OpenWRT file system layout and what the malware is looking for, so the two seem to be incompatible.
Also, I’m guessing that if you’ve already taken the trouble to switch to OpenWRT, then you’ve already convinced yourself that router cybersecurity is important.

Nice article!, I was wondering where did you find that piece of information about OpenWrt? I would like to learn more about that.

And if your isp asks you to turn on remote admin just for them to fix one detail and they want you to use an obviously weak password, propose an alternative one.
Mine did, and when I replied with my alternative password they used it.

For those who have not already read/seen the latest update, the FBI has now taken control of the command and control servers for VPNFilter and is asking everyone to restart their routers to help determine what hardware systems are all affected by VPNFilter.

It is a little more subtle that just patching, isn’t it? Even if you are current, it probably makes sense to “update” your firmware with the current version over the top of the current version because there is a good chance doing so clears out possible infections.

We agree. That’s why we suggested in the article:
“[E]ven if you are already up-to-date and don’t think your device is infected, a firmware refresh will give you a double peace of mind: your router will be up to date and you’ll be in a known-good state.”

Whay about Xfinity? Are they exposed

Check with the vendor, is all I can say.
This isn’t the first router malware. It won’t be the last. So you might as well do the whole patch-and-pick-proper-passwords process anyway…

We have the sophos UTM (sg230) , that is facing the internet – no routers in between , do we still need to be worried since our pattern and firmware versions are up to date?

This malware is affecting home and small biz routers. If your Sophos UTM is directly on the Internet then you can largely ignore the VPNFilter saga…
…though take a look at your router at home ;-)

Maybe I’m missing something in the articles I’ve read, but I don’t understand how routers are getting infected to start with.

Seems the most common ways are: old, unpatched firmware with exploitable bugs in it allowing crooks to sneak in; and poor (or default) passwords allowing crooks to guess their way in. Thus our recommendation to reflash with the latest firmware and fix those passwords.

Hi Paul Ducklin ,
i agree with you this was a wonderful information about the reset of wireless router but my router still ask previous password before configure the setting can you tell me the best solution for this kind of problem .
Thanks.

If you don’t have your router’s password then you can’t log in and change any settings, so you’re stuck. You will need to do what’s called a “factory reset” that reconfigures all the settings to how they were when you first got it. Then you will need to reconfigure it from scratch.
For how to do a factory reset you will need to find a manual for your model of router, or ask your service provider, or try your favourite search engine…

Nice of ‘sh1tGEAR’ to release a patch (.110) so broken that when the router reboots, it doesn’t resend a new DHCP negotiation to the client (which hadn’t shown any issues with this previously on the exact same physical infrastructure and client OS). Why do they always fail to test stuff properly? Charge an extra $5 per device, and it’ll be paid-for, testers aren’t that expensive and people aren’t that cheap (at least if you’re HONEST and hype-free in your marketing, and remind people that they get what they pay for, and they’re STILL only paying little at that theoretical $5 extra, hint hint).
Or maybe it’s not ‘sh1tGEAR’s fault, and it’s a result of the infection being permanent? Oh hold on, that’s their fault, too.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?