agreed. I used to log into peoples routers at university dorms all the time. Dumb assess never changed it passed the default. I would ping ip address, do a lookup on the mac address to see who the manufacturer was, and the search for the default password.
You can remove it by performing a factory reset.
I reread the Talos post, they don’t mention a factory reset removes it. They say:
Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
So according to this, the persistent Stage 1 cannot be removed (it’s persistent) by this method. Which means people will have to wait for it to be patched.
No, rebooting is only so the FBI can trace where the malware is reaching out to. The Ars article explains all of this. My question is if this affects the listed models if they have custom firmware installed?
Apparently, it does affect DD-WRT, so it most likely affects Tomato as well.
Looking at the initial data I don’t think DD-WRT would offer any protection from this exploit. It appears to target the router at the Common Firmware Environment (CFE) level and leverage Busybox to write
the “stage-one” code to NVRAM. The CFE loads as part of the boot process DD-WRT so all of this happen before DD-WRT is even running. This is also what gives the exploit reboot persistence. Something not mentioned in most articles. The reboot recommendation does not clear the malware
from and infected router. The FBI request to reboot all consumer routers appears to be an effort to track the extent of the “phone home” capability present in the stage-one code. I would think removing the malware would require serial TTL telnet session to locate the CRONTAB call to the exploit stored in NVRAM and manually remove said exploit. I have not been able to locate specifically the hardware vulnerability used to gain access to the router at this level but I have some prime suspects that I will link below along with the sources I have found. Also, the article does not mention other smart devices like Netgear smart switches or range extenders which are built on similar hardware/firmware. This could be a much bigger issue for all. - https://www.myopenrouter.com/forum/dd-wrt-susceptible-vpnfilter-malware
I wouldn’t rush into that until there are updates that patch the vulnerability the malware exploits (if they even bother to release updates and not force everyone to buy new equipment) and not everyone has the disposable income to spend on a new piece of networking equipment.
I reread the Talos post, they don’t mention a factory reset removes it. They say:
Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
So according to this, the persistent Stage 1 cannot be removed (it’s persistent) by this method. Which means people will have to wait for it to be patched. A lot of these articles are reporting a factory reset completely removes it, they’re misinforming. Sorry about the confusion.
There’s an update for mine too, but every time I’ve done a firmware update, I’ve saved my settings, tried to bring them back, and it’s fucked up everything, had to take the router back to default settings. So, I don’t know if I’m resetting until I know if I can get ddwrt for my Netgear
I couldn’t buy my house outright, but my last two cars have been bought outright (used). Until its time for me to go plug-in hybrid or full electric, I do not see myself buying an out-of-reach new car ever. I undestand that some can’t evaluate a used car’s reliability effectivily so they need to buy new, or they are an avid enthusist and highly desire the latest model, but outside of that I cringe at the thought of someone buying new with payments casually. Heck my sister bought her Camry brand new flat out by saving for years before hand- lost value the second it drove off the lot, but at least she isn’t paying interest to a bank. I guess we were raised frugally, interest makes me cringe.
How do you like the AP mode features? I have an RT-AC68U in AP mode and I want to find a more effective way to lower signal strength, the RT-AC68U GUI has a feature like this, but it doesn’t seem to do much. I don’t need a strong signal, so might as well not subject the living things in my house to it.
This is a multi part infection. all but 1 part has been neutralized by the FBI taking over the infecting domain. Rebooting the router will wipe those other pieces from memory (if infected) leaving the 1st part still there but effectively isolated.
To completely remove VPNFilter and protect your router from being infected again, you should follow these steps:
Reset Router to Factory Defaults.
Upgrade to the latest firmware. (see manufacture site for updates)
Change the default admin password.
Disable Remote Administration if enabled. Typically, remote administration is disabled by default.
I read on another forum you can remote into your router and check for the existence of a folder at var/vpnfilter. Apparently, they named the malware after this folder it creates where all the files for it are installed. Can anyone confirm this? If you’re infected, can you post a screenshot of it?