Okay, I uploaded and installed TP link newest firmware. Noticed my DSN/WAN numbers were changed within my laptop. I am a newbie, so bear with me. I went to my LAN and Wifi properties, TCP/ipv4 settings and I had the DNS at 8888 and 8844 Google Public? When this FBI message came out they were all Zeros. Like I said, newbie here. I cant change anything in my Modem from Comcast, but my wifi router I can, but do I?
VPNFilter Malware
- Thread starter AntonK
- Start date
Marko Polo
Senior Member
Well, this kinda unpleasant to live without clarity from where to expect the bummer. No single word (even in Talos blog) about the attach technique
Anyone see this? https://www.nytimes.com/2018/05/27/technology/router-fbi-reboot-malware.html Not sure how rebooting the router is going to stop Malware but I'd assume the TrendMicro software on this router is protecting it.
Rebooting would purge any running malware processes, unless they have established persistence beforehand (which VPNFilter is reported as capable of doing). Rebooting is not a bullet proof fix but it’s a good start.
OzarkEdge
Part of the Furniture
More info here: https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware
And I found this opinion:
"Looking at the initial data I don't think DD-WRT would offer any protection from this exploit. It appears to target the router at the Common Firmware Environment (CFE) level and leverage Busybox to write the “stage-one” code to NVRAM. The CFE loads as part of the boot process DD-WRT so all of this happen before DD-WRT is even running. This is also what gives the exploit reboot persistence. Something not mentioned in most articles. The reboot recommendation does not clear the malware from an infected router. The FBI request to reboot all consumer routers appears to be an effort to track the extent of the "phone home" capability present in the stage-one code. I would think removing the malware would require serial TTL telnet session to locate the CRONTAB call to the exploit stored in NVRAM and manually remove said exploit. I have not been able to locate specifically the hardware vulnerability used to gain access to the router at this level but I have some prime suspects that I will link below along with the sources I have found. Also, the article does not mention other smart devices like Netgear smart switches or range extenders which are built on similar hardware/firmware. This could be a much bigger issue for all."
I assume you can interchange the reference to DD-WRT with the stock firmware for any afflicted hardware.
IF a particular router hardware is afflicted and runs AiProtection, I would not assume that it is protected. I have not seen any ASUS routers mentioned.
OE
That does not make sense at all, agree with poster’s overall sentiment though.
That depends on how AiProtection works (which I’m not familiar with). If it is half decent and behaves like normal PC AV, it should detect if your router is comprised or not with the published IOCs (file hashes, C&C IPs), after receiving a signature update.
Where did you find that opinion? They seem to have a little more information than what’s circulating out there.
Last edited:
OzarkEdge
Part of the Furniture
Same thought here, but I'm no expert on this.
https://www.myopenrouter.com/forum/dd-wrt-susceptible-vpnfilter-malware
OE
The best technical source of information at this stage:
https://blog.talosintelligence.com/2018/05/VPNFilter.html
Includes known C&C servers. Tho I suspect many of these are unreachable at the moment following the FBI domain takedown, a malware update could potentially switch to a different domain. If you have any frontline firewall, might be worth monitoring/blocking those IPs.
https://blog.talosintelligence.com/2018/05/VPNFilter.html
Includes known C&C servers. Tho I suspect many of these are unreachable at the moment following the FBI domain takedown, a malware update could potentially switch to a different domain. If you have any frontline firewall, might be worth monitoring/blocking those IPs.
Some more odd points in this opinion:
1. Not all affected devices are using CFE, I wonder how that person came to that conclusion. The QNAPs for example use U-Boot.
2. “leverage Busybox” is just an odd term to use, there is nothing special about Busybox and there are other utilities that are capable of writing to NVRAM.
3. Of course CFE “loads as part of the boot process” because that’s what a boot loader does.
4. Who said the initial vector(s) is a “hardware vulnerability”? If it were using hardware vulnerability there is no way it got this widespread, unless it’s leveraging architectural vulnerabilities like Spectre/Meltdown. All reports says it’s likely through insecure default configurations like WAN access to admin interface and default/weak passwords.
At this point, unless the original post of that opinion can back up his claims I’d just ignore it.
Considering Netgear recently advised people to refrain from exposing the webui to the WAN, I suspect vulnerabilities in the remote web interface/weak logins are one of the attack vectors used for the initial infection.
In QNAP's case, I suspect that means they leverage security issues in authLogin.cgi (which was tied to Shellshock), which were patched last year by QNAP. After that, they can store themselves in plenty of different locations. Actually, I spent the morning cleaning up a customer's QNAP. Probablyu wasn't VPNFilter, one of the payloads was a cryptominer. QNAP's MalwareRemover only located part of the payloads, and it failed to track down the installer that ran every reboot. I finally tracked down the malware installers hidden inside two of the /etc/init.d/ scripts, that would download and install the payload from remote servers on every reboots. One of them was a cryptominer and it also attacked autoLogin.cgi, the other one was failing to connect to its remote server, so I have no idea what its payload was...
Mini rant: reporters/bloggers who don't understand what they are talking about should stop injecting opinions and half-assed assumptions inside their articles. Only today I saw two articles claiming that "The FBI recommends that you reboot your routers to remove a malware installed by Russians". None of the initial write ups from Cisco/Talos ever mentioned Russia..... They said it was likely to be state-sponsored, and no country was ever named.
New Dan Goodin article over at Ars referring to new Cisco blog post with details.
More devices are now susceptible.
Talos said VPNFilter also targets a much larger number of devices than previously thought, including those made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The malware also works on new models from manufacturers previously known to be targeted, including Linksys, MikroTik, Netgear, and TP-Link. Williams estimated that the additional models put 200,000 additional routers worldwide at risk of being infected. The full list of targeted devices is:
Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)
D-Link Devices:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)
Huawei Devices:
HG8245 (new)
Linksys Devices:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N
Mikrotik Devices:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)
Netgear Devices:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)
QNAP Devices:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link Devices:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)
Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)
Upvel Devices:
Unknown Models* (new)
ZTE Devices:
ZXHN H108N (new)
More devices are now susceptible.
Talos said VPNFilter also targets a much larger number of devices than previously thought, including those made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The malware also works on new models from manufacturers previously known to be targeted, including Linksys, MikroTik, Netgear, and TP-Link. Williams estimated that the additional models put 200,000 additional routers worldwide at risk of being infected. The full list of targeted devices is:
Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)
D-Link Devices:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)
Huawei Devices:
HG8245 (new)
Linksys Devices:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N
Mikrotik Devices:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)
Netgear Devices:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)
QNAP Devices:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link Devices:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)
Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)
Upvel Devices:
Unknown Models* (new)
ZTE Devices:
ZXHN H108N (new)
Interesting element here - all of these are older MIPS-based design, none of them use the ARM architecture.
ColinTaylor
Part of the Furniture
Did they say why they sent that message to the staff, given that the information is two weeks old? Perhaps they like sending out random pieces of IT information?
juniorsweet
Occasional Visitor
Here's a comment on the susceptibility of DD-WRT to this malware
https://www.myopenrouter.com/comment/42801#comment-42801
https://www.myopenrouter.com/comment/42801#comment-42801
Similar threads
Similar threads
Similar threads
Latest threads
-
GT-AX11000 Dropping all connections wired and wireless
- Started by camarolt1guy
- Replies: 0
-
How to block LAN access for a wired device on ASUS Merlin (Firmware 3004.388.8_2)?
- Started by kuposcar
- Replies: 5
-
RT-AX88U maxing out a core and regularly showing 60+ MB/s upload
- Started by SmallKiwi
- Replies: 2
-
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!