Or, as I like to say, a faulty keyboard to chair interface
Your home router may not be safe: VPNFilter malwar
- Thread starter OVERKILL
- Start date
- Status
FYI, the list of potentially vulnerable devices was expanded last week:
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html
There is also some additional analysis on what the malware does in different stages:
https://news.sophos.com/en-us/2018/05/24/vpnfilter-botnet-a-sophoslabs-analysis/
Based on the above, I've seen some people mention that presence of certain files or folders in your router's /var/run directory might be one way to determine if your device is compromised.
However, unless I misunderstood, vpnfilter can also delete these files once it's done doing the damage, in order to hide its presence, so I'm not sure the above is a sure proof indicator. I guess it depends on at which stage you are.
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html
There is also some additional analysis on what the malware does in different stages:
https://news.sophos.com/en-us/2018/05/24/vpnfilter-botnet-a-sophoslabs-analysis/
Based on the above, I've seen some people mention that presence of certain files or folders in your router's /var/run directory might be one way to determine if your device is compromised.
However, unless I misunderstood, vpnfilter can also delete these files once it's done doing the damage, in order to hide its presence, so I'm not sure the above is a sure proof indicator. I guess it depends on at which stage you are.
OVERKILL
$100 Site Donor 2021
Originally Posted By: Quattro Pete
FYI, the list of potentially vulnerable devices was expanded last week:
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html
There is also some additional analysis on what the malware does in different stages:
https://news.sophos.com/en-us/2018/05/24/vpnfilter-botnet-a-sophoslabs-analysis/
Based on the above, I've seen some people mention that presence of certain files or folders in your router's /var/run directory might be one way to determine if your device is compromised.
However, unless I misunderstood, vpnfilter can also delete these files once it's done doing the damage, in order to hide its presence, so I'm not sure the above is a sure proof indicator. I guess it depends on at which stage you are.
Thanks for the update. This confirms that it was as serious as I suspected it might be. This quote is telling here:
Originally Posted By: Talos
We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports. We provide technical details on this module, named "ssler" below.
Additionally, we've discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called "dstr," is also provided below.
The ssler module is particularly worrisome as it is used to obtain usernames and passwords for Google, Twitter, Facebook...etc.
Their conclusion:
Originally Posted By: Talos
These new discoveries have shown us that the threat from VPNFilter continues to grow. In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support. If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.
is quite similar to what I outlined as to the potential ramifications of this at the onset and why I indicated that we should be justifiably concerned about this and the precedent it sets.
FYI, the list of potentially vulnerable devices was expanded last week:
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html
There is also some additional analysis on what the malware does in different stages:
https://news.sophos.com/en-us/2018/05/24/vpnfilter-botnet-a-sophoslabs-analysis/
Based on the above, I've seen some people mention that presence of certain files or folders in your router's /var/run directory might be one way to determine if your device is compromised.
However, unless I misunderstood, vpnfilter can also delete these files once it's done doing the damage, in order to hide its presence, so I'm not sure the above is a sure proof indicator. I guess it depends on at which stage you are.
Thanks for the update. This confirms that it was as serious as I suspected it might be. This quote is telling here:
Originally Posted By: Talos
We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports. We provide technical details on this module, named "ssler" below.
Additionally, we've discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called "dstr," is also provided below.
The ssler module is particularly worrisome as it is used to obtain usernames and passwords for Google, Twitter, Facebook...etc.
Their conclusion:
Originally Posted By: Talos
These new discoveries have shown us that the threat from VPNFilter continues to grow. In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support. If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.
is quite similar to what I outlined as to the potential ramifications of this at the onset and why I indicated that we should be justifiably concerned about this and the precedent it sets.
OVERKILL
$100 Site Donor 2021
The updated list of affected devices, which is still growing, is now:
Originally Posted By: Talos
ASUS DEVICES:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)
D-LINK DEVICES:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)
HUAWEI DEVICES:
HG8245 (new)
LINKSYS DEVICES:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N
MIKROTIK DEVICES:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)
NETGEAR DEVICES:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)
QNAP DEVICES:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software
TP-LINK DEVICES:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)
UBIQUITI DEVICES:
NSM2 (new)
PBE M5 (new)
UPVEL DEVICES:
Unknown Models* (new)
ZTE DEVICES:
ZXHN H108N (new)
Originally Posted By: Talos
ASUS DEVICES:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)
D-LINK DEVICES:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)
HUAWEI DEVICES:
HG8245 (new)
LINKSYS DEVICES:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N
MIKROTIK DEVICES:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)
NETGEAR DEVICES:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)
QNAP DEVICES:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software
TP-LINK DEVICES:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)
UBIQUITI DEVICES:
NSM2 (new)
PBE M5 (new)
UPVEL DEVICES:
Unknown Models* (new)
ZTE DEVICES:
ZXHN H108N (new)
This only checks for one aspect of an infection, but here it is anyway: Symantec VPNFilter Check
Thanks for that link!
Forgive my ignorance, but are these kinds of exploits within the router capable of stealing sensitive information, or injecting malicious code when all communication between the client and the server is encrypted with an unbroken TLS?
OVERKILL
$100 Site Donor 2021
Originally Posted By: BearZDefect
Forgive my ignorance, but are these kinds of exploits within the router capable of stealing sensitive information, or injecting malicious code when all communication between the client and the server is encrypted with an unbroken TLS?
There's some mention of it in the linked article as to how potentially encrypted information could be hijacked. If you haven't given it a read-through yet, I'd suggest starting with that.
Forgive my ignorance, but are these kinds of exploits within the router capable of stealing sensitive information, or injecting malicious code when all communication between the client and the server is encrypted with an unbroken TLS?
There's some mention of it in the linked article as to how potentially encrypted information could be hijacked. If you haven't given it a read-through yet, I'd suggest starting with that.
- Status
Similar threads
