VPNFilter Malware

[Lee MacMillan]

I was focusing on the consumer/ home users, people tend to not replace their routers very often, and there are many manufacturers out there who love to drop software support after around 6 to 12 months.

Which is why I just bought an Asus router. My 2 1/2 year old TP-Link router (a currently available model) had not had a firmware update in 2 years. Was pleasantly surprised when I discovered the RT-AC66U B1 firmware was updated this month! Very happy with it so far.

 

[TuxedoCruise]

Hello. I'm pretty illiterate when it comes to computer security, but I try to keep my router firmware updated. I have the Asus RT-AC66R, which I believe is the same thing as the RT-AC66U.

I changed the default admin password the minute I took it out of the box, and it's a strong password. Remote admin through WAN has always been disabled. Is my router mostly safe from VPNfilter?

Asus has been awesome with updating their firmware for a lot of older routers, but I'm not sure if they've patched any exploits that are susceptible to VPNfilter.

Thanks for answering my question.

 

[o-l-a-v]

Hello. I'm pretty illiterate when it comes to computer security, but I try to keep my router firmware updated. I have the Asus RT-AC66R, which I believe is the same thing as the RT-AC66U.

I changed the default admin password the minute I took it out of the box, and it's a strong password. Remote admin through WAN has always been disabled. Is my router mostly safe from VPNfilter?

Asus has been awesome with updating their firmware for a lot of older routers, but I'm not sure if they've patched any exploits that are susceptible to VPNfilter.

Thanks for answering my question.

As stated several times in this thread, the attack vector is still unknown. VPNFilter is the outcome of an attack. The attack might be launched from LAN side. If thats the case, disabling access from WAN would not help you.

 

[Mojolacerator]

Hello. I'm pretty illiterate when it comes to computer security, but I try to keep my router firmware updated. I have the Asus RT-AC66R, which I believe is the same thing as the RT-AC66U.

I changed the default admin password the minute I took it out of the box, and it's a strong password. Remote admin through WAN has always been disabled. Is my router mostly safe from VPNfilter?

Asus has been awesome with updating their firmware for a lot of older routers, but I'm not sure if they've patched any exploits that are susceptible to VPNfilter.

Thanks for answering my question.

You've done everything you can at the moment.

 

[Hawkster]

Hello. I'm pretty illiterate when it comes to computer security, but I try to keep my router firmware updated. I have the Asus RT-AC66R, which I believe is the same thing as the RT-AC66U.

I changed the default admin password the minute I took it out of the box, and it's a strong password. Remote admin through WAN has always been disabled. Is my router mostly safe from VPNfilter?

Asus has been awesome with updating their firmware for a lot of older routers, but I'm not sure if they've patched any exploits that are susceptible to VPNfilter.

Thanks for answering my question.

TuxedoCruise, I have the exact same router and from what I read the only thing I did that you haven't mentioned was that I reset the router to factory defaults and created a stronger password for the wireless 2.4 G and 5 G. I also downloaded the ASUS app for my smartphone which has some settings to check for the latest firmware (from ASUS which I'm using) and has settings for remote access to make sure that the router is secure like has been mentioned so far. What firmware version are you using?

 

[kfp]

I also downloaded the ASUS app for my smartphone which has some settings to check for the latest firmware (from ASUS which I'm using) and has settings for remote access to make sure that the router is secure

How is remote access making it more secure? Some older versions of the app opened up HTTP(S) to WAN without notifying users, I wouldn’t touch that app.

 

[Hawkster]

How is remote access making it more secure? Some older versions of the app opened up HTTP(S) to WAN without notifying users, I wouldn’t touch that app.

I'm sorry, I should've mentioned to make sure you have the latest version of the app installed on your smartphone because I believe the latest versions have been updated and has a TrendMicro Security Scan in the more section that shows what's enabled or not. I double checked through the web interface and these settings were correct.

 

[JaimeZX]

Let me also recommend reading through routersecurity.org. Lots of good generic tips there for locking your stuff down.
o-l-a-v is correct that the specific vulnerability(ies) VPNFilter uses to compromise the router is/are unknown. CISCO Talos suspects it uses well-known vulnerabilities that are nonetheless ignored by most users (changing default username/password/SSID, etc.) but we don't *know* that to be the case.

 

[coxhaus]

https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

Looks like the following ASUS routers have been found to have VPNfilter virus.

Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

 

[ColinTaylor]

Looks like the following ASUS routers have been found to have VPNfilter virus.

Already reported in post #35.

 

[JaimeZX]

So one thing I'm not clear on... the malware redirects HTTPS:443 requests to HTTP:80... does it convert back the returns? Wouldn't I, an astute user, notice that Amazon, or my bank website, is coming over HTTP?

 

[kfp]

So one thing I'm not clear on... the malware redirects HTTPS:443 requests to HTTP:80... does it convert back the returns? Wouldn't I, an astute user, notice that Amazon, or my bank website, is coming over HTTP?

That’s just one of the actions the malware can perform, it doesn’t mean all devices affected automatically turn that feature on.

 

[Butterfly Bones]

So one thing I'm not clear on... the malware redirects HTTPS:443 requests to HTTP:80... does it convert back the returns? Wouldn't I, an astute user, notice that Amazon, or my bank website, is coming over HTTP?

Probably yes. Here is a way to help keep an eye on that even if you get busy.

HTTPS Everywhere from Tor Project and Electronic Freedom Foundation.

 

[kfp]

HTTPS Everywhere from Tor Project and Electronic Freedom Foundation.

I’m thinking this will create an infinite loop of redirects between the extension and the malware [emoji23]

 

[Butterfly Bones]

I’m thinking this will create an infinite loop of redirects between the extension and the malware [emoji23]

Anytime I hit an HTTP only site, it just stops dead, which is rare these days. So I hope that if the router gets infected, that the HTTPS to HTTP redirects just stop me from going on and I then think more deeply. I mean this in regard to sites I use frequently like my banking or news sites, etc.

 

[JaimeZX]

But if VPNFilter redirects responses back to HTTPS on LAN side, how will the browser plugin know any different?

 

[kfp]

But if VPNFilter redirects responses back to HTTPS on LAN side, how will the browser plugin know any different?

HTTPS certs. Your browser should display a cert error.

 

[martinr]

“Symantec has developed VPNFilter Check, a free online tool to help individuals and organisations quickly determine if their router might have been compromised by the VPNFilter malware.”

https://www.theregister.co.uk/2018/07/02/vpnfilter/

 

[coxhaus]

Has anybody been able to find a virus on their router?

 

[Alessio]

Any news? I can not find any firmware for my RT-AC66U which fixes this bug

I'm considering to buy a new router, but I'd really like to continue to use my glorious RT-AC66U.