VPNFilter Router Malware is a Lot Worse Than Everyone Thought

[DooKey]

A couple of weeks ago we reported about a Russian malware (VPNFilter) that was infecting a large number or routers from different vendors. This week I have bad news to report because this malware is far more widespread than originally thought. More vendors have been added to the vulnerable list and additional models from already named vendors have been added as well. Take a look at the source and you'll be able to see if your router is vulnerable.

The researchers believe the criminals controlling VPNFilter are profiling endpoints to pick out the best targets, and will swipe confidential information in transit where possible. The code snoops on the destination IP address, to help it identify valuable traffic such as a connection to a bank, as well as visited domain names. It also attempts to downgrade secure HTTPS connections to unencrypted forms, so that login passwords and the like can be obtained.

 

[Twisted Kidney]

Russia a good boy, he dindunuffin.

 

[Zumino Zufeilon]

So, yeah

That's a thing I need to deal with now

Great

 

[lollerwaffle]

I built a pfsense machine a couple of years back and keep that up-to-date. I believe when configured correctly, this is the best defense. It isn't super easy to set up everything, but there is excellent documentation and user support so given enough time, it's doable. A modern dual-core Pentium with hardware AES instructions is plenty of horsepower for this.

Then I just have a dumb wireless AP behind pfsense for wireless needs. Works really, really well. I can only recommend this to power users who are sick of expensive routers that might or might not get patched; pfsense updates come fast and furious for any vulnerabilities that come out.

They also sell hardware with pfsense on it. If time is not your friend and you can spend $350 on a SG-3100 and call it a day.

 

[TwiceOver]

I built a pfsense machine a couple of years back and keep that up-to-date. I believe when configured correctly, this is the best defense. It isn't super easy to set up everything, but there is excellent documentation and user support so given enough time, it's doable. A modern dual-core Pentium with hardware AES instructions is plenty of horsepower for this.

Then I just have a dumb wireless AP behind pfsense for wireless needs. Works really, really well. I can only recommend this to power users who are sick of expensive routers that might or might not get patched; pfsense updates come fast and furious for any vulnerabilities that come out.

They also sell hardware with pfsense on it. If time is not your friend and you can spend $350 on a SG-3100 and call it a day.

pfSense and Ubiquiti APs. Unless it's an update, I never have to reboot to "get the internet working again". It pains me when people say this. If you have to unplug your "router" to get your internet/wifi working again, you should throw that shit away and never buy from that manufacturer again.

 

[Makaveli@BETA]

the only thing that I ever have to reboot these days is the Cable modem not the router.

using a R7000 on Asus WRT firmware.

 

[causticspill]

I built a pfsense machine a couple of years back and keep that up-to-date. I believe when configured correctly, this is the best defense. It isn't super easy to set up everything, but there is excellent documentation and user support so given enough time, it's doable. A modern dual-core Pentium with hardware AES instructions is plenty of horsepower for this.

Then I just have a dumb wireless AP behind pfsense for wireless needs. Works really, really well. I can only recommend this to power users who are sick of expensive routers that might or might not get patched; pfsense updates come fast and furious for any vulnerabilities that come out.

They also sell hardware with pfsense on it. If time is not your friend and you can spend $350 on a SG-3100 and call it a day.

Same thing here, so I've been mostly ignoring this "reboot your router" stuff.

 

[Bigdady92]

Time to install WRT on my router.

 

[Private_Ops]

I built a pfsense machine a couple of years back and keep that up-to-date. I believe when configured correctly, this is the best defense. It isn't super easy to set up everything, but there is excellent documentation and user support so given enough time, it's doable. A modern dual-core Pentium with hardware AES instructions is plenty of horsepower for this.

Then I just have a dumb wireless AP behind pfsense for wireless needs. Works really, really well. I can only recommend this to power users who are sick of expensive routers that might or might not get patched; pfsense updates come fast and furious for any vulnerabilities that come out.

They also sell hardware with pfsense on it. If time is not your friend and you can spend $350 on a SG-3100 and call it a day.

Got mine running on an old C2D. Need to upgrade eventually once 2.5 comes out.

I also set up mine to adblock at the DNS level, works quite well (pfblockerNG).

 

[heatlesssun]

Time to install WRT on my router.

So what's a good AC router these days that's WTR compatible?

 

[Biznatch]

I built a pfsense machine a couple of years back and keep that up-to-date. I believe when configured correctly, this is the best defense. It isn't super easy to set up everything, but there is excellent documentation and user support so given enough time, it's doable. A modern dual-core Pentium with hardware AES instructions is plenty of horsepower for this.

Then I just have a dumb wireless AP behind pfsense for wireless needs. Works really, really well. I can only recommend this to power users who are sick of expensive routers that might or might not get patched; pfsense updates come fast and furious for any vulnerabilities that come out.

They also sell hardware with pfsense on it. If time is not your friend and you can spend $350 on a SG-3100 and call it a day.

pfSense and Ubiquiti APs. Unless it's an update, I never have to reboot to "get the internet working again". It pains me when people say this. If you have to unplug your "router" to get your internet/wifi working again, you should throw that shit away and never buy from that manufacturer again.

100% this... Running pfsense as a VM at home with zero downtime. I have the asus rt-66u that popped up on the latest list, but like you it's a dumb AP. Plus I flashed it with dd-wrt the second I booted it up, so no worries here.

 

[exiled350]

I love my Untangle vm. Had over 500 days of uptime not too long ago before I had to shutdown the server for some maintenance.

 

[WetMacula]

Glad I got in on the Turris Omnia kickstarter.

https://blog.talosintelligence.com/2018/06/vpnfilter-update.html
The first action taken by the ssler module is to configure the device’s iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. It starts by using the insmod command to insert three iptables modules into the kernel (ip_tables.ko, iptable_filter.ko, iptable_nat.ko) and then executes the following shell commands:

iptables -I INPUT -p tcp --dport 8888 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8888
Example: ./ssler logs src:192.168.201.0/24 dst:10.0.0.0/16

-A PREROUTING -s 192.168.201.0/24 -d 10.0.0.0/16 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8888

Note: To ensure that these rules do not get removed, ssler deletes them and then adds them back approximately every four minutes.

https://www.ic3.gov/media/2018/180525.aspx
The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.

 

[Darunion]

pfSense and Ubiquiti APs. Unless it's an update, I never have to reboot to "get the internet working again". It pains me when people say this. If you have to unplug your "router" to get your internet/wifi working again, you should throw that shit away and never buy from that manufacturer again.

Agreed. I cant believe how often I still hear this from people. I moved to ubiquit myself and while it isn't the most intuitive config, I also don't really do anything to it. The wireless AP though, took maybe a minute to config and I havent touched it since, maybe had it so far 6 months.

I haven't messed with pfsense yet but that might be my next round of hardware if this stuff dies.

 

[Gweenz]

You usually only hear "had to power cycle my router!" on really old low end junk. And yep, if that's happening replace the thing, and do it six months ago.

I've been using Ubiquiti almost exclusively for AP's and routers lately. I love their little $50 Edgerouters.

 

[Grebuloner]

So, yeah

That's a thing I need to deal with now

Great

Looked up the list and there was mine. Went right to the support page, last firmware over a year ago, already running it. Looking at their "what to do" list I seem to have already taken the necessary steps in my normal router setup scheme to prevent its infection in the first place, but it's just another reminder that it's well past time to replace my 4+yo router and look into fancier hardware.

 

[Sycraft]

pfSense and Ubiquiti APs. Unless it's an update, I never have to reboot to "get the internet working again". It pains me when people say this. If you have to unplug your "router" to get your internet/wifi working again, you should throw that shit away and never buy from that manufacturer again.

Ubiquiti routers are also a good choice instead of PFSense. Cheaper and faster. Their little Edgerouters will push a gig and do so for cheap. Generally lower latency too. Don't get me wrong, I love PFSense but until they get their vector packet processing engine sorted they require much more beefy hardware to achieve a given level of performance. If you don't need the level of flexibility they offer in crafting rules, and you usually don't for a home network, an ERL costs less and performs better.

For all that though I still have to reboot to make the Internet work occasionally because of the cable modem . Router never has issues, but it sometimes does. WTB FTTH PST.

 

[Zarathustra[H]]

Custom built pfSense box FTW!

 

[Zarathustra[H]]

Ubiquiti routers are also a good choice instead of PFSense. Cheaper and faster. Their little Edgerouters will push a gig and do so for cheap. Generally lower latency too. Don't get me wrong, I love PFSense but until they get their vector packet processing engine sorted they require much more beefy hardware to achieve a given level of performance. If you don't need the level of flexibility they offer in crafting rules, and you usually don't for a home network, an ERL costs less and performs better.

For all that though I still have to reboot to make the Internet work occasionally because of the cable modem . Router never has issues, but it sometimes does. WTB FTTH PST.

Disagree. I had a Ubiquiti edge router. It didn't even have enough power to do QoS on a 150Mbit line, and it sure as hell couldn't handle gigabit speeds over OpenVPN like I do on my pfSense box.

 

[dgz]

100% this... Running pfsense as a VM at home with zero downtime. I have the asus rt-66u that popped up on the latest list, but like you it's a dumb AP. Plus I flashed it with dd-wrt the second I booted it up, so no worries here.

Does the hypervisor make a difference? How much does it need to run properly? I really don't like WRT all that much. Looking for an alternative to play with

 

[Wiffle]

This is what happens when you install networking equipment using only the default settings...

The list of vulnerable products are what you would find running a school or small office network... like in a Dr.'s office or a local police department.

Also... Made in China.

 

[Biznatch]

It's fully supported on HyperV. I give it far more resources than it needs because I have them, but 1-2 cores and 2GB of ram is plenty.

I've use pfsense running on a vm for multiple production offices handling 100+ users, 1/2 of which were making voip calls all day. I don't like running much of anything on bare metal anymore. VMs make backups/DR MUCH easier and quicker.

 

[Zarathustra[H]]

Does the hypervisor make a difference? How much does it need to run properly? I really don't like WRT all that much. Looking for an alternative to play with

I used to run it as a VM, but there are security implications from doing this. I used to think I was safe because I passed the NIC through to the VM, but in a post Meltdown/Spectre world, I don't trust VM's for security isolation anymore.

Besides, it was annoying to not have internet whenever I took down my VM host for maintenance.

Instead I built a small dedicated pfSense box:

• Intel Core i3-7100
• ASRock H270M-ITX/ac Mini-ITX motherboard with dual Intel NIC's
• Crucial 8GB (2x4GB) DDR4-2133 kit (way more RAM than I needed, but I wanted dual channel, and I guess you can't buy DDR4 sticks smaller than 4GB?)
• BiWin 60GB M.2 Sata SSD
• PicoPSU-80 + 60W Adapter Power Kit
• M350 Universal Mini-ITX enclosure
• Molex to P4 power adapter

Best router I've ever had. It can push OpenVPN at very high speeds. I've never been able to max out gigabit though, because of limitations on the VPN hosts side. The CPU on my router never goes above ~20% load at absolute most.

NO VPN:

PIA VPN:

 

[Spidey329]

My router is on the list, that's fun.

Steps to fully disinfect devices vary from model to model. In some cases, pressing a recessed button on the back to perform a factory reset will wipe stage 1 clean. In other cases, owners must reboot the device and then immediately install the latest available authorized firmware from the manufacturer. Router owners who are unsure how to respond should contact their manufacturer, or, if the device is more than a few years old, buy a new one.

Seriously ...


Here's the NetGear response (I have an R6400).

https://kb.netgear.com/000058814/Security-Advisory-for-VPNFilter-Malware-on-Some-NETGEAR-Devices

Essentially, reboot, apply latest firmware, and don't have Remote Management enabled and don't use default passwords.

 

[Skull_Angel]

I shouldn't be, but I'm laughing pretty hardily right now. I had bought an Asus RT-AC66U my ex ended up swiping; she wanted all the security and filters turned off for gaming on top of being tech illiterate, so I left everything opened up before I was able to get out. I can only imagine what trouble that'll cause at this point, lol.

 

[dgz]

I used to run it as a VM, but there are security implications from doing this. I used to think I was safe because I passed the NIC through to the VM, but in a post Meltdown/Spectre world, I don't trust VM's for security isolation anymore.

Besides, it was annoying to not have internet whenever I took down my VM host for maintenance.

Instead I built a small dedicated pfSense box:

• Intel Core i3-7100
• ASRock H270M-ITX/ac Mini-ITX motherboard with dual Intel NIC's
• Crucial 8GB (2x4GB) DDR4-2133 kit (way more RAM than I needed, but I wanted dual channel, and I guess you can't buy DDR4 sticks smaller than 4GB?)
• BiWin 60GB M.2 Sata SSD
• PicoPSU-80 + 60W Adapter Power Kit
• M350 Universal Mini-ITX enclosure
• Molex to P4 power adapter

Best router I've ever had. It can push OpenVPN at very high speeds. I've never been able to max out gigabit though, because of limitations on the VPN hosts side. The CPU on my router never goes above ~20% load at absolute most.

NO VPN:

View attachment 79675


PIA VPN:

View attachment 79676

Ah, dual onboard gigabit LAN. The whole thing could fit in one of those tiny mitx cases. It's a shame Intel makes some of the best NICs. I really don't want to give them any money but I already have a dual core haswell in a tiny case that could be re-purposed. Really don't want so many devices in my living room

 

[IdiotInCharge]

Essentially, reboot, apply latest firmware, and don't have Remote Management enabled and don't use default passwords.

Which, if they've properly patched the firmware, should be all that's needed- and should be what everyone's doing anyway.

[which they're not, but whatever]

 

[Ranulfo]

the only thing that I ever have to reboot these days is the Cable modem not the router.

using a R7000 on Asus WRT firmware.

What site are you using for wrt firmware? MyOpenRouter is the only netgear specialized one I know of. It looks like DDWRT site is down right now.

 

[cthulhuiscool]

Russia a good boy, he dindunuffin.

BASED

 

[mullet]

What site are you using for wrt firmware? MyOpenRouter is the only netgear specialized one I know of. It looks like DDWRT site is down right now.

https://dd-wrt.com/site/

 

[mnewxcv]

So I guess I've been under a rock. My WNDR3700v3 is on the affected list. I've rebooted it. I changed the default password when I set it up 6 months ago, and I am already running the latest firmware (no update since). Remote management is and has been off. Is there anything else I am supposed to be doing?

 

[Mega6]

from snbforums and Talos

filesystem physical reported locations:

/var/run/vpnfilterm
/var/run/vpnfilterw

 

[Zarathustra[H]]

Ah, dual onboard gigabit LAN. The whole thing could fit in one of those tiny mitx cases. It's a shame Intel makes some of the best NICs. I really don't want to give them any money but I already have a dual core haswell in a tiny case that could be re-purposed. Really don't want so many devices in my living room

Yeah, the M350 box I linked above is a really nice little utility case, and the PicoPSU kit is awesome. Allows the system to idle at like 6W as measured at the wall with my Kill-A-Watt.

 

[Ranulfo]

https://dd-wrt.com/site/

Yeah, their router database is offline atm.

 

[Ranulfo]

Anyone have any experience with something like this?

https://www.amazon.com/dp/B0741F634J/

Small mini pc that is 4-6 nic ports with a atom/celeron/i3 in it.

 

[lollerwaffle]

Anyone have any experience with something like this?

https://www.amazon.com/dp/B0741F634J/

Small mini pc that is 4-6 nic ports with a atom/celeron/i3 in it.

The CPU for the linked device is a 1.8GHz Celeron. It's going to work fine for most general things, but once you run Snort on it and have a fast connection (100+ Mbps) and perhaps do a few other things (VPN, torrents, maybe squid proxy) you might run short of CPU power. For the price, not a lot of performance. It's cute, I'll give it that, and it might sip less power than a PC build, but it wouldn't be for me.

I'd add $30 and buy a pfsense box I quoted above.

 

[Ranulfo]

That netgate sg3100 is running an arm cortex a9 at 1.6ghz though.

 

[daglesj]

So how is this actually spreading/being delivered? Read several articles but according to all of them it just 'happens'.

 

[Mermalion]

I have an Asus rt-ac66u that is on that list. I've followed all the steps given and have had the default password changed and remote management turned off since I got it. Also been running the latest merlin firmware. If I were to build a pfsense box, would it be safe to use this router only as an access point behind the pfsense firewall?

 

[Zarathustra[H]]

I have an Asus rt-ac66u that is on that list. I've followed all the steps given and have had the default password changed and remote management turned off since I got it. Also been running the latest merlin firmware. If I were to build a pfsense box, would it be safe to use this router only as an access point behind the pfsense firewall?

I don't see why not. I doubt it would open any ports to the outside, as long as it hasn't already been infected.

Maybe - to be sure - re flash it with the lastest stock firmware (or DDWRT if compatible) just to make sure you overwrite everything and get rid of any infection.

That said, you can get a pretty awesome ubiquiti unifi access point for not very much money.