Update: 24th October 2018:
Researchers from Cisco’s Talos team have discovered further capabilities of this malware. As detailed below the 3rd stage of the malware features:
Provides plugins for the RAT (defined below in the original post) to extend its functionality.
However, the team was able to determine the following extra capabilities:
- Packet sniffing (obtain information from passing data packets (defined) on a network connection)
- Encrypted tunnelling (defined) to hide data the malware steals as well as the existing command and control data traffic.
- Creating network maps (defined)
- Remote connection/administration via SSH (Secure Shell)(defined)
- Port forwarding (defined)
- Create SOCK5 (defined) proxies (defined)
- DDoS (defined)
The good news about this malware is that from the Talos team’s research it does not appear that any malware samples remain active. However; they caution it is not possible to assume that this malware has finished its malicious actions and the possibility of its return remains.
Update: 20th June 2018:
If you would prefer a video or a podcast of how to remove this malware from your router, this Sophos blog post provides links to both. The video is hosted on Facebook but a Facebook account isn’t required to view it. Sophos also provide an archive of previous videos on the same Facebook page.
Update: 6th June 2018:
The Cisco Talos team have provided an updated list of known affected routers. I have added these to the list below with “(new)” indicating a new device on the existing list. I have also updated the malware removal advice to provide easier to follow steps.
In late May; a strain of malware known as VPNFilter affecting routers from the vendors listed below was publicly disclosed by the Cisco Talos team:
Asus RT-AC66U (new)
Asus RT-N10 (new)
Asus RT-N10E (new)
Asus RT-N10U (new)
Asus RT-N56U (new)
Asus RT-N66U (new)
D-Link DES-1210-08P (new)
D-Link DIR-300 (new)
D-Link DIR-300A (new)
D-Link DSR-250N (new)
D-Link DSR-500N (new)
D-Link DSR-1000 (new)
D-Link DSR-1000N (new)
Huawei HG8245 (new)
Linksys E3000 (new)
Linksys E3200 (new)
Linksys E4200 (new)
Linksys RV082 (new)
Mikrotik CCR1009 (new)
Mikrotik Cloud Core Router (CCR) CCR1016
Mikrotik CRS109 (new)
Mikrotik CRS112 (new)
Mikrotik CRS125 (new)
Mikrotik RB411 (new)
Mikrotik RB450 (new)
Mikrotik RB750 (new)
Mikrotik RB911 (new)
Mikrotik RB921 (new)
Mikrotik RB941 (new)
Mikrotik RB951 (new)
Mikrotik RB952 (new)
Mikrotik RB960 (new)
Mikrotik RB962 (new)
Mikrotik RB1100 (new)
Mikrotik RB1200 (new)
Mikrotik RB2011 (new)
Mikrotik RB3011 (new)
Mikrotik RB Groove (new)
Mikrotik RB Omnitik (new)
Mikrotik STX5 (new)
Netgear DG834 (new)
Netgear DGN1000 (new)
Netgear DGN3500 (new)
Netgear FVS318N (new)
Netgear MBRN3000 (new)
Netgear WNR2200 (new)
Netgear WNR4000 (new)
Netgear WNDR3700 (new)
Netgear WNDR4000 (new)
Netgear WNDR4300 (new)
Netgear WNDR4300-TN (new)
Netgear UTM50 (new)
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link TL-WR741ND (new)
TP-Link TL-WR841N (new)
Ubiquiti NSM2 (new)
Ubiquiti PBE M5 (new)
UPVEL Unknown Models* (new)
ZTE ZXHN H108N (new)
Why should this malware be considered important?
The authors (thought to be a group funded by a nation state) of this malware are using it to hijack vulnerable routers (500,000 are known to have been compromised across 54 countries) for possible use in cyberattacks against the Ukraine. Indeed, the malware more recently began seeking out Ukrainian routers specifically. The Ukrainian Secret Service issued a security alert on this on the 23rd of May.
The malware has the ability to do so by utilising previously publicly disclosed (defined) vulnerabilities to gain access and persistence (namely remaining present after the router is powered off and back on) within these routers. Last week the FBI took control of this botnet and are now working to clean up the affected devices.
The malware is very sophisticated and can persist within a router even if the router is powered off and back on (becoming the second malware to have this ability, the first being the Hide and Seek botnet). The malware is made up of 3 stages:
Stage 1: Is responsible for the persistence (mentioned above).
Stage 2: Providing the capabilities of a remote access Trojan (RAT)(defined)
Stage 3: Provides plugins for the RAT to extend it’s functionality.
The malware also has the capability to do the following:
- Wipe the firmware (see Aside below for a definition) of routers rendering them useless
- Inspect the data traffic passing through the router (with the possible intention of obtaining credentials passing over the wire to gain access to sensitive networks)
- Attempt to locate ICS/SCADA devices (defined) on the same network as the router by seeking out port 502 traffic, namely the Modbus protocol (defined) with the option of deploying further malware
- Communicate via the Tor network (definition in the Aside below).
How can I protect my devices from this malware?
The FBI are asking anyone who suspects their internet router to be infected to first reboot it (turn on and off the router). This will cause an infected device to check-in with the now under FBI control C&C (command and control, C2 (defined) server to provide them with a better overview of the numbers of infected devices.
To completely remove the malware; reset the device to factory defaults (this won’t harm a non-infected either but please ensure you have the necessary settings to hand to re-input them into the router, your internet service provider (ISP) will be able to help with this). This will remove stage 1 of the malware (stage 2 and 3 are removed by turning the router on an off).
To prevent re-infection: Cisco Talos’ team recommendations are available from this link. Moreover the US CERT provide recommendations here and here. Symantec’s recommendations are provided here (especially for Mikrotik and QNAP devices).
Further advisories from router manufacturers are as follows (their advice should supersede any other advice for your router model since they know their own devices the best):
Further recommendations from Sophos are:
- Check with your vendor or ISP to find out how to get your router to do a firmware update.
- Turn off remote administration unless you really need it
- Choose strong password(s) for your router
- Use HTTPS website where you can
A very useful and easy to follow step by step walk through of removing this malware by BleepingComputer is available from this link with useful guidance for multiple router models.
New VPNFilter malware targets at least 500K networking devices worldwide : Cisco Talos team
What is firmware?
Firmware is semi-permanent embedded software code that allows a device to carry out its function by having the low-level hardware carry out useful sequences of events.
What is The Onion Router (Tor)?
The Onion Router (Tor) is an open source (defined) project with the goal of protecting your privacy by passing your web browsing activity through a series of anonymous relies spread across the internet. These relays act like proxy servers which encrypt and randomly pass the traffic they receive from relay to relay.
This web of proxies is sometimes referred to as the Dark web (a portion of the internet only accessible using the Tor network). This makes tracing the source of the source almost impossible.