VPNFilter Malware

[ls3c6]

So RT-N66 is or is not vulnerable on merlin 380.70 or newest john fork? I see asus released a 382 update mid may 2018.

 

[kfp]

So RT-N66 is or is not vulnerable on merlin 380.70 or newest john fork? I see asus released a 382 update mid may 2018.

VPNFilter is a malware campaign, not any specific bug, therefore there is no specific firmware versions that will ‘fix’ it.

The initial infection methods are still unknown, but I’m guessing a mix of old bugs + 0days.

 

[gatorback]

VPNFilter is a malware campaign, not any specific bug, therefore there is no specific firmware versions that will ‘fix’ it.

The operating mechanisms of the malware are known: is it not possible to build new firmware and configure user & network settings that will defend against the attack? If not, why?

 

[kfp]

The operating mechanisms of the malware are known: is it not possible to build new firmware and configure user & network settings that will defend against the attack? If not, why?

You can put in measures that would decrease the chance of getting infected, add in measures to make sure you can detect fast once infected, and measures to prevent malware from reaching out to their known C&C server IPs. You can definitely ‘defend’, just that no one can guarantee 100% that you will be immune. There is no ‘vaccine’.

 

[ColinTaylor]

The operating mechanisms of the malware are known:

Unfortunately detailed "operating mechanisms" are not publically known for Asus routers AFAIK. The article you linked to and the others I have seen are all using examples from an x86 infection. Our routers don't run x86 code. The article then goes on to say that it changes /etc/config/crontab. This is the standard x86 QNAP crontab, but this file doesn't exist on our routers. Even if it did alter the cron file that the router does use it still wouldn't be persistent across reboots because it's only held in RAM.

So my point is that at the moment we can't reliably draw any direct comparisons with the publically disclosed x86 information and our routers.

 

[gatorback]

You can put in measures that would decrease the chance of getting infected, add in measures to make sure you can detect fast once infected, and measures to prevent malware from reaching out to their known C&C server IPs. You can definitely ‘defend’, just that no one can guarantee 100% that you will be immune. There is no ‘vaccine’.

I think we are in agreement here. Vaccines \ antibiotics address a limited spectrum (scope) of pathogen-variants, which regularly mutate to seemingly counter vaccines in a 'cat and mouse' game (Influenza comes to mind). I think that VPNFilter is a specific pathogen strain (maybe this is not true?): it could 'mutate' and it certainly is not the only instance in its class (APT-botnet). The semantics around the discussion is critical and challenging because internet forums are not quite the same as a face to face conversation.

It is important that the term VPNFilter be confined to a specific 'strain' so as to be narrow enough to be useful from a CVE standpoint and communicated to achieve a common understanding.

 

[kfp]

I think we are in agreement here. Vaccines \ antibiotics address a limited spectrum (scope) of pathogen-variants, which regularly mutate to seemingly counter vaccines in a 'cat and mouse' game (Influenza comes to mind). I think that VPNFilter is a specific pathogen strain (maybe this is not true?): it could 'mutate' and it certainly is not the only instance in its class (APT-botnet). The semantics around the discussion is critical and challenging because internet forums are not quite the same as a face to face conversation.

It is important that the term VPNFilter be confined to a specific 'strain' so as to be narrow enough to be useful from a CVE standpoint and communicated to achieve a common understanding.

Since you mentioned CVE then I’m going to stop with the virology comparisons since I’m not well versed enough in that to make an analogy on the top of my head with what I’m going to describe.

In the past we had a lot of named bugs like Heartbleed, Shellshock, KRACK etc. All of those describe a specific flaws in the software hence they got CVEs for it.

VPNFilter is NOT one of those; VPNFilter is the payload that gets delivered AFTER one of those CVEs is exploited. That’s why we say the initial vector is unknown; we don’t know what is being exploited first to deliver VPNFilter. Without knowing that, there is really nothing to patch because you don’t know where the software flaw is. All we can do is some preventative measures to decrease the risk of flaws being used to deliver VPNFilter.

 

[umarmung]

VPNFilter is like AIDS before anyone knew what HIV was. They can see what damage it does, that it is different from everything else, but not what caused it.

Also like HIV, this is not what kills you but how it leaves you vulnerable and therefore what comes after.

 

[FreshJR]

The operating mechanisms of the malware are known: is it not possible to build new firmware and configure user & network settings that will defend against the attack? If not, why?

The method of infection is not known.

Currently the only thing you can do is disable all services that open the router up for communication with the internet.

SSH form WAN*
GUI Access from WAN*
AiCloud+similar features
VPN
AutoFirmware check

these features will revert the router into true router mode. The router itself will not communicate over the internet at ALL which severely limits attack vectors.

The ones with astrikes should NEVER be enabled in the first place.

We know that VPNfilter also affects routers without these internet features, so how it gets past iptables is a mystery.

It could be possible that it attack’s LAN devices which then attack your router. Until the infection method is caught this is all speculation.

No you enable the features outlined above and have them be bulletproof. Some are bigger risks than others.

 

[makksi]

That's because this is a 382 firmware, which isn't updated as frequently. Many of these CVEs were fixed weeks ago in the 384 firmware releases.

Comfortable reply from ASUS customer service for RT-AC56U so far:

Gentile cliente,

la ringraziamo per avere contattato il supporto Asus.
Circa la Sua richiesta, il router RT-AC56U non è infettato dal malware "VPN filter". Al momento non è disponibile un tool da Asus per testare i routers relativamente al malware "VPN filter".

Qualora la risposta fornita non fosse stata chiara ed esaustiva La preghiamo, prima di esprimere le sue valutazioni sul nostro servizio, al fine di migliorare lo stesso, a replicare a questa e-mail.

Cogliamo l'occasione per porgere cordiali Saluti.

Customer Service Asus
Giorgio P.
Web: https://www.asus.com/it/support
Contatti : https://www.asus.com/it/support/CallUs

 

[Keenan]

Comfortable reply from ASUS customer service for RT-AC56U so far:

Gentile cliente,

la ringraziamo per avere contattato il supporto Asus.
Circa la Sua richiesta, il router RT-AC56U non è infettato dal malware "VPN filter". Al momento non è disponibile un tool da Asus per testare i routers relativamente al malware "VPN filter".

Qualora la risposta fornita non fosse stata chiara ed esaustiva La preghiamo, prima di esprimere le sue valutazioni sul nostro servizio, al fine di migliorare lo stesso, a replicare a questa e-mail.

Cogliamo l'occasione per porgere cordiali Saluti.

Customer Service Asus
Giorgio P.
Web: https://www.asus.com/it/support
Contatti : https://www.asus.com/it/support/CallUs

"Dear customer, thank you for contacting Asus support. Regarding your request, the RT-AC56U router is not infected with the "VPN filter" malware. At the moment there is no tool available from Asus to test routers for "VPN filter" malware. If the answer provided was not clear and exhaustive, please, before expressing its evaluations on our service, in order to improve the same, to reply to this e-mail. We take the opportunity to give you cordial greetings."

 

[Paliv]

So, as I understand it, this malware is now known to be able to redirect https traffic and knock it down to http for implementations without safeguards (forgive me if I misunderstand the mechanics). With that revealed would it be prudent to run a vpn service’s client on any device that you are logging into accounts on? Or is that not a viable safe guard?

 

[willyburz]

Is the AC3200 popping up on any lists?

 

[martinr]

"Dear customer, thank you for contacting Asus support. Regarding your request, the RT-AC56U router is not infected with the "VPN filter" malware. At the moment there is no tool available from Asus to test routers for "VPN filter" malware. If the answer provided was not clear and exhaustive, please, before expressing its evaluations on our service, in order to improve the same, to reply to this e-mail. We take the opportunity to give you cordial greetings."

Seems odd to say there’s no tool for testing a if a router is infected whilst stating the RT-AC56U is not infected, without any qualification, such as, so far there have been no reports ... etc. I’d say a slightly confusing reply rather than a comfortable one, perhaps even an uncomfortable reply.

 

[Razor512]

What I wonder about is what will be done with the companies that have a bunch of routers that are widely used but is EOL and no longer receiving updates, all while the companies take steps to prevent users from running 3rd party firmware?

With more and more devices being added to the list, we are getting into the realm of devices that likely will never receive an update, and the manufacturers will not give up on doing everything possible to prevent 3rd party firmware from being used.

 

[RMerlin]

What I wonder about is what will be done with the companies that have a bunch of routers that are widely used but is EOL and no longer receiving updates, all while the companies take steps to prevent users from running 3rd party firmware?

If you are a company and you are running a router that's already EOL, then you're doing it wrong from the get go IMHO.

 

[kfp]

If you are a company and you are running a router that's already EOL, then you're doing it wrong from the get go IMHO.

I think @Razor512 meant the manufacturers, not a company that uses Asus routers in a business setting

 

[ColinTaylor]

I think @Razor512 meant the manufacturers, not a company that uses Asus routers in a business setting

Yes I think that was his point. There's a parallel with mobile phone software (or any software for that matter). There was a failed attempt recently to force Samsung to support its phones for at least four years after they go on sale.

 

[Razor512]

I was focusing on the consumer/ home users, people tend to not replace their routers very often, and there are many manufacturers out there who love to drop software support after around 6 to 12 months.

 

[sfx2000]

If you are a company and you are running a router that's already EOL, then you're doing it wrong from the get go IMHO.

If one is a sysadmin/netadmin running a consumer router for access for a small/medium enterprise - you deserve what you get

There are devices that target small/medium enterprises, and many do get longer support cycles where patches and support is available.