Lol ¯\_(ツ)_/¯
Saturdays are my fluoride and tin foil coffee days.
Just seemed like an odd notion. Didn’t they arrest the guy that stopped WannaCry because he had old malware on his computer?
They don’t seem to be the brightest tools. Maybe I’m remembering everything. They arrested that dude or the consultant for the dentists?
I dunno the FBI has a long history of doing it’s own thing either for good or ill regardless of what the rest of the federal government wants.
If restarting the router and increasing password complexity is all they recommend I am OK with that.
I guess at the end of the day, this is what’s important and all that matters.
agreed. I used to log into peoples routers at university dorms all the time. Dumb assess never changed it passed the default. I would ping ip address, do a lookup on the mac address to see who the manufacturer was, and the search for the default password.
You can remove it by performing a factory reset.
I reread the Talos post, they don’t mention a factory reset removes it. They say:
Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
So according to this, the persistent Stage 1 cannot be removed (it’s persistent) by this method. Which means people will have to wait for it to be patched.
No, rebooting is only so the FBI can trace where the malware is reaching out to. The Ars article explains all of this. My question is if this affects the listed models if they have custom firmware installed?
Apparently, it does affect DD-WRT, so it most likely affects Tomato as well.
Looking at the initial data I don’t think DD-WRT would offer any protection from this exploit. It appears to target the router at the Common Firmware Environment (CFE) level and leverage Busybox to write
the “stage-one” code to NVRAM. The CFE loads as part of the boot process DD-WRT so all of this happen before DD-WRT is even running. This is also what gives the exploit reboot persistence. Something not mentioned in most articles. The reboot recommendation does not clear the malware
from and infected router. The FBI request to reboot all consumer routers appears to be an effort to track the extent of the “phone home” capability present in the stage-one code. I would think removing the malware would require serial TTL telnet session to locate the CRONTAB call to the exploit stored in NVRAM and manually remove said exploit. I have not been able to locate specifically the hardware vulnerability used to gain access to the router at this level but I have some prime suspects that I will link below along with the sources I have found. Also, the article does not mention other smart devices like Netgear smart switches or range extenders which are built on similar hardware/firmware. This could be a much bigger issue for all.
- https://www.myopenrouter.com/forum/dd-wrt-susceptible-vpnfilter-malware
Still don’t see a problem.
Replacing the router is probably the best course of action.
I wouldn’t rush into that until there are updates that patch the vulnerability the malware exploits (if they even bother to release updates and not force everyone to buy new equipment) and not everyone has the disposable income to spend on a new piece of networking equipment.
I reread the Talos post, they don’t mention a factory reset removes it. They say:
Users of SOHO routers and/or NAS devices reset them to factory defaults and reboot them in order to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
So according to this, the persistent Stage 1 cannot be removed (it’s persistent) by this method. Which means people will have to wait for it to be patched. A lot of these articles are reporting a factory reset completely removes it, they’re misinforming. Sorry about the confusion.
There is a firmware update for the Netgear R7000 (Nighthawk). There were no release notes, but I assume it is to deal with this bug.
Never buy what you can’t afford to replace Basic financial advice.
But removing stage 2 &3 is still decent enough reason to reset.
There’s an update for mine too, but every time I’ve done a firmware update, I’ve saved my settings, tried to bring them back, and it’s fucked up everything, had to take the router back to default settings. So, I don’t know if I’m resetting until I know if I can get ddwrt for my Netgear
So I suppose almost no one should buy a house or a car then?
Update: VPNFilter Malware much worse than previously thought and impacts even more routers and NAS devices.
Updated list of known affected devices:
Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)
D-Link Devices:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)
Huawei Devices:
HG8245 (new)
Linksys Devices:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N
Mikrotik Devices:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)
Netgear Devices:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)
QNAP Devices:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link Devices:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)
Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)
UPVEL Devices:
Unknown Models (new)
ZTE Devices:
ZXHN H108N (new)
I am using PFsense with an R7000 in AP mode
Holy fuck me too. Hello kindred spirit
I couldn’t buy my house outright, but my last two cars have been bought outright (used). Until its time for me to go plug-in hybrid or full electric, I do not see myself buying an out-of-reach new car ever. I undestand that some can’t evaluate a used car’s reliability effectivily so they need to buy new, or they are an avid enthusist and highly desire the latest model, but outside of that I cringe at the thought of someone buying new with payments casually. Heck my sister bought her Camry brand new flat out by saving for years before hand- lost value the second it drove off the lot, but at least she isn’t paying interest to a bank. I guess we were raised frugally, interest makes me cringe.
How do you like the AP mode features? I have an RT-AC68U in AP mode and I want to find a more effective way to lower signal strength, the RT-AC68U GUI has a feature like this, but it doesn’t seem to do much. I don’t need a strong signal, so might as well not subject the living things in my house to it.
Ummm. . .
How hard is it to reboot a router?
Instead of lists of affected devices, maybe just tell everyone with any type of router to reboot it ?
Well I am affected (N66U), I rebooted my router. But how often should I reboot it?
This is a multi part infection. all but 1 part has been neutralized by the FBI taking over the infecting domain. Rebooting the router will wipe those other pieces from memory (if infected) leaving the 1st part still there but effectively isolated.
To completely remove VPNFilter and protect your router from being infected again, you should follow these steps:
Thanks for this.
I read on another forum you can remote into your router and check for the existence of a folder at var/vpnfilter. Apparently, they named the malware after this folder it creates where all the files for it are installed. Can anyone confirm this? If you’re infected, can you post a screenshot of it?