VPNfilter router botnet

[prehistoric]

In the last two weeks I've made a couple of house calls to fix router problems for people I know. Meanwhile, I've been learning that the router malware VPNfilter is much more dangerous than thought.

Cyber Threat Alliance
Talos Intelligence

This is now known to infect 71 different common router models.

Bleeping Computer

You also need to check on changes in label. Cisco has sold its Linksys business to Belkin, so several listed models are not supported by Cisco, and Belkin has little incentive to support older devices they never sold. At any rate, Foxconn has now bought Belkin. Who you gonna call?

Analysis shows VPNfilter uses a sophisticated approach to finding the IP address to phone home to. The address is not hard-coded in the firmware. Data stored in the EXIF files of pictures on Photobucket is extracted, and if the first attempt fails it goes down a list. Besides checking for its own updates, the software has plugins that can alter behavior, and we don't know what they will do when they appear. We do know it has a "kill" function that can wipe evidence and "brick" a router on command, effectively destroying it.

I keep replacement routers handy, but most people don't.

When operating it is capable of carrying out a "man in the middle" attack which negates the use of HTTPS, among other things. It is also capable of sending all your search requests to a system you never imagined. I've seen a much less sophisticated version of that before.

I've heard of router malware that targets online banking, but have never encountered this. VPNfilter could easily do this if it were upgraded.

The name is based on the way this botnet resembles a VPN that filters your communication. It highlights a problem few people consider with VPNs: how do you know that the service is not being operated by the last people you would trust?

I'm in agreement with those experts that blame this one on a nation-state. It does have the characteristics of APT28.

The total manpower required to extract, analyze and reprogram firmware from 71 types of routers is well beyond amateur efforts. The botnet setup is also very sophisticated, and likely to persist.

The "threat surface" is very large, and many known vulnerabilities are being exploited. Against this threat we have many people who never change the default router administrator password and don't understand remote administration. Last week I had to explain to one old gentleman that this was not the password for his WiFi. He also thought the WPS button was the factory reset button. If you don't even know a problem exists, how can you deal with it?

Besides doing a factory reset on the router, and reloading the latest firmware, you need to disable remote administration. This is inconvenient because it forces you to connect directly to the device with a cable to change settings, but you can do this when the device is completely isolated from the Internet so nobody can exploit a vulnerability in the default firmware. Once you have it under your control, you can connect and update to the latest firmware, assuming this is available.

This still leaves the problem that manufacturers have little motivation to update firmware for devices they sold last year. There are several open source versions of router software for popular models, but you also need to know if these contain hidden "backdoor" code, and checking is not a simple process.

(This malware contains code that does an XOR operation to extract some data from other parts of the firmware. I've used this legitimately to protect proprietary firmware from being copied. You could read the entire source code for the device and still not find the magic numbers needed to make it work. Blindly modifying the code will change those results and very likely stop the firmware from functioning. People pirating software don't want to put in as much effort as original developers, and they do want to remove evidence it was illegally copied, like copyright notices embedded in code. By combining such data with data from essential code needed to function you can make it much harder to analyze the protection. You also may have code that checks that no one has modified the XOR operation. That's life in the wild west of software.)

At one time Cisco routers did contain backdoor code, put there to satisfy U.S. government agencies. We still don't know how many vulnerabilities in router firmware exist because of similar demands from governments of whatever nationality. This isn't really necessary when users are as ignorant as above and router manufacturers are delinquent in closing known vulnerabilities.

Is this anyway to run networking?

[rufwoof]

Thanks for highlighting that prehistoric.

We do have a version of a Netgear that is at risk, but that sits behind another router/firewall, has a non default password and no remote admin. Despite that I've factory reset/refreshed it and upgraded the firmware anyway. Considering replacing it with a dedicated OpenBSD based router alternative, as at least that way it would be more obscure (and more capable at intrusion detection flagging).

[Mike Walsh]

I've said it before.....and I'll say it again. There's one guaranteed strategy to stay safe online.

Don't connect your computer to the internet; don't ever go online; and, for the really 'they're-out-to-get-me' paranoid types.....don't ever plug your computer into the power socket OR turn it on.

Should keep you fairly safe, I think.


Mike.