500,000 home routers have been infected with VPNFilter, malware that steals data and bricks devices

Originally published at: https://boingboing.net/2018/05/23/uh-oh-2.html

…

Then why haven’t 500,000 devices been bricked?

Because it’s more profitable to skim their online credentials and resell them?

Or have a 500,000 machine strong botnet at your disposal. Or 500,000 low quality but free cryptocoin miners. Or 500,000 possible VPN endpoints to sell to child molesters/drug dealers/etc…?

Bricking the routers after putting all of that work into infecting them is completely counterproductive.

They’re kind of vague about how the stage 1 infection is done.

VPNFilter’s stage 1 malware infects devices running firmware based on Busybox and Linux, and is compiled for several CPU architectures.

But nothing about how they get at busybox inside the router. The current advice is to turn off remote management. Anyone who turns that on probably should have their Internet license revoked.

Make sure that you are running the latest firmware

What rubbish! All routers are sold as abandonware and are never updated. You’re expected to buy the next model.

Our linksys is running dd-wrt (DD-WRT v24-sp2 (07/22/09) micro - build 12548M NEWD Eko). Adequate?

(For some reason, the Airport is still getting updates, in spite of its age.)

Time to get off my butt and get my mom’s router flashed over to DDWRT instead of the factory default firmware.

Bricking is something it can do if certain conditions are met or if it is told to do so by the mothership, not something it just goes ahead and does:

Cisco researchers described stage 2 as a “workhorse intelligence-collection platform” that performs file collection, command execution, data exfiltration, and device management. Some versions of stage 2 also possess a self-destruct capability that works by overwriting a critical portion of the device firmware and then rebooting, a process that renders the device unusable. Cisco researchers believe that, even without the built-in kill command, the attackers can use stage 2 to manually destroy devices.

Ugh, my router died unexpectedly a couple of weeks ago. I just replaced it, of course. I wonder how I would figure out if it got hit?

Update: my brand wasn’t on the target list. Yay for going obscure…

Maybe the ones you find at Best Buy, but there are certainly better routers out there (Ubiquiti, for instance) that get firmware updates. Otherwise, best to have something that can run OpenWRT or DD-WRT.

And yes, I can’t see why I’d ever enable remote management on my router. Of course, all bets are off if you’re renting yours from your ISP.

I pity the Americans who find they cannot cease to rent a shitty router from their ISP even if they want to. Fortunately the regulatory environment here in Canada is slightly less dysfunctional.

The article specifically mentions that routers running Linux-based firmware are vulnerable, and looking at the list of affected routers, they may be specifically targeting them, so that’s not good. Also, I’d try to update the 9 year old firmware if there are available builds. Manufacturers are instructing people to make sure remote access is disabled. I don’t know if that’s a fix, and VPNFilter is targeting people who turned it on by mistake, but there’s no good reason to ever enable that on a home router. Hopefully we’ll know more soon.

On the other hand, even Comcast doesn’t force us to use their routers and cable modems, though they do their damnedest to try to convince you that they’re the best thing since sliced bread.

One of their underhanded tricks was to inject their own JavaScript into HTTP connections if you owned a modem model that they no longer provided, and spouting typical corporate bullshit when called out on it.

Same for me but more from just oooooooold. It still works so upgrading isn’t a priority.

Just a head’s up: just because it is open source does not make it secure. When was the last DD-WRT update? 2015? Any new hardware supported? That means it’s all on old hardware that’s probably already been plumbed for vulnerabilities.

If someone wanted to compromise it, it’s already happened.

If you have a well-liked model, it’s possible to keep using older hardware. My router is from 2009 but got a new Tomato release a few months ago. It’s hard to keep track of because third party firmware forks like crazy, but if you’re as cheap as me, it can be done.

My five year old AirPort Extreme still gets periodic firmware updates. Yes, I know I harsh on Apple’s pricing scheme. Their wireless routers are one of the few things they sell that I find worth the price, mainly because the other router marques are pretty much all crap.

I can’t say for certain none require it, but all the US ISPs whose reigns of terror I’ve lived under merely try to hard sell you on renting their shit routers. Wouldn’t know about cable TV since I haven’t had a cable box or service since 2001.

OpenWRT and DD-WRT often get ported to a new model once, then maybe updated once and then abandoned as well.

Better than most stock firmwares but by no means perfect.

Your FUD is off base. Do not judge by the last “stable” release, which seems to be from a decade ago, nor from their website, which seems to no longer be receiving updates.

If you look at the available downloads, there are dozens of “beta” releases from this year alone. Partly to support new routers, partly to address security vulnerabilities.

From what I understand, routers aren’t all that diverse under the hood, so this malware could probably run on many / most devices if it could infect them in the first place; the limiting factor is that it needs a known exploit to get on there initially, which is more model-specific. So, you might have slightly better odds if your router is unusual (because its vulnerabilities aren’t so well-explored), or if it is a popular model from one of the vendors that keeps firmware up to date.

The Cisco article does explicitly say that they don’t believe the list of affected models is comprehensive.

Honestly, that’s the real tragedy here. It certainly isn’t the lawful-good approach (or the avoid-felony-conviction approach); but the best possible outcome here would be for someone to toggle the Killswitch on as many of the infected devices as possible as soon and fast as possible.

If your router is a malice zombie it isn’t really “working” anymore; just broken in a covert way. Having it fall over and die(at least without lowish level reflash fiddling) would inform the user that it’s time to pay attention to, or replace, their router and prevent the thing from harming anything else.

And this isn’t just a “we should nuke 'em because I’m an internet tough guy on the internet” proposal: having systems in place that can detect compromised computers and credentials and disable them until IT can come sort it out is challenging but something you want really, really, badly. Restoring from backups sucks; but pondering the “not compromised or just really good at hiding?” problem is keep-you-up-at-night material; sometimes literally.