Originally Posted By: Quattro Pete
FYI, the list of potentially vulnerable devices was expanded last week:
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html
There is also some additional analysis on what the malware does in different stages:
https://news.sophos.com/en-us/2018/05/24/vpnfilter-botnet-a-sophoslabs-analysis/
Based on the above, I've seen some people mention that presence of certain files or folders in your router's /var/run directory might be one way to determine if your device is compromised.
However, unless I misunderstood, vpnfilter can also delete these files once it's done doing the damage, in order to hide its presence, so I'm not sure the above is a sure proof indicator. I guess it depends on at which stage you are.
Thanks for the update. This confirms that it was as serious as I suspected it might be. This quote is telling here:
Originally Posted By: Talos
We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports. We provide technical details on this module, named "ssler" below.
Additionally, we've discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called "dstr," is also provided below.
The ssler module is particularly worrisome as it is used to obtain usernames and passwords for Google, Twitter, Facebook...etc.
Their conclusion:
Originally Posted By: Talos
These new discoveries have shown us that the threat from VPNFilter continues to grow. In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support. If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.
is quite similar to what I outlined as to the potential ramifications of this at the onset and why I indicated that we should be justifiably concerned about this and the precedent it sets.