VPNFilter Botnet

On May 25, the FBI asked us all to reboot our routers. While the advice was rather silly, and not particularly understandable, we can at least examine the circumstances. VPNFilter refers to a botnet that took control of over 500,000 devices, mostly in the Ukraine. It was very sophisticated and so well designed that our FBI believes it is state sponsored. Because it targeted Ukraine, they believe it is Russian. Despite targeting Ukraine, it has infected routers in 54 countries. This is not an attack against computers, but mostly against our routers. The infection has multiple parts but follows the basic Botnet pattern of infection with with a small program, then connecting to a control center and downloading more attacks and instructions for further action.

What made this especially sophisticated, is that the initial infection was tiny and could be inserted into the router's firmware. This required specific attacks for each model of router, rather than a general purpose attack. It also means that the attack would survive a reboot. We do not know what commands might be given to the routers, but they could actually destroy the routers with a command. They could intercept encrypted packets, login credentials or they could direct attacks against any network target. With over 500,000 routers under their command, this army is extremely powerful.

On May 30, the FBI took control of one of the command-and-control servers, but VPNFilter could quickly reroute to other control servers. It is an intelligent infection capable of learning and responding to attacks against it and adapting to bypass defenses.

What to do, your options:

Reboot your router (FBI recommendation). Your router will probably be reinfected quickly because the problem is in firmware, not in router memory. This is pretty useless.
Reset your router. This will remove the infection because it will reset your router to default conditions. This means you will need to know your default username and password for your router and will need to re-enter all your WiFi passwords which will be forgotten. Since your router is still vulnerable, it will probably be re-infected.
Update your router firmware. If your router was patched with new firmware in since May 2018, then the new firmware will probably prevent the infection. This is the correct fix and should remove the infection and prevent future ones.

What if you rent a provider router?

What if you rent your router from your ISP and you cannot not patch it? Here is what Comcast says: "The vast majority of Comcast-provided residential and business gateways and modems were not impacted by the 'VPNFilter' malware. For the very small number of Comcast-issued devices that may be affected, we are in the process of proactively communicating with those customers and exchanging hardware where needed"

So it appears that Comcast routers and modems are OK. As for other providers, I was unable to get any definitive answers. Generally, you cannot patch them yourself, you need to wait for them to do it. I suggest you call them and ask about your modem/router combination and how frequently they patch it.

Date: July 2018

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		VPNFilter Botnet On May 25, the FBI asked us all to reboot our routers. While the advice was rather silly, and not particularly understandable, we can at least examine the circumstances. VPNFilter refers to a botnet that took control of over 500,000 devices, mostly in the Ukraine. It was very sophisticated and so well designed that our FBI believes it is state sponsored. Because it targeted Ukraine, they believe it is Russian. Despite targeting Ukraine, it has infected routers in 54 countries. This is not an attack against computers, but mostly against our routers. The infection has multiple parts but follows the basic Botnet pattern of infection with with a small program, then connecting to a control center and downloading more attacks and instructions for further action. What made this especially sophisticated, is that the initial infection was tiny and could be inserted into the router's firmware. This required specific attacks for each model of router, rather than a general purpose attack. It also means that the attack would survive a reboot. We do not know what commands might be given to the routers, but they could actually destroy the routers with a command. They could intercept encrypted packets, login credentials or they could direct attacks against any network target. With over 500,000 routers under their command, this army is extremely powerful. On May 30, the FBI took control of one of the command-and-control servers, but VPNFilter could quickly reroute to other control servers. It is an intelligent infection capable of learning and responding to attacks against it and adapting to bypass defenses. What to do, your options: Reboot your router (FBI recommendation). Your router will probably be reinfected quickly because the problem is in firmware, not in router memory. This is pretty useless. Reset your router. This will remove the infection because it will reset your router to default conditions. This means you will need to know your default username and password for your router and will need to re-enter all your WiFi passwords which will be forgotten. Since your router is still vulnerable, it will probably be re-infected. Update your router firmware. If your router was patched with new firmware in since May 2018, then the new firmware will probably prevent the infection. This is the correct fix and should remove the infection and prevent future ones. What if you rent a provider router? What if you rent your router from your ISP and you cannot not patch it? Here is what Comcast says: "The vast majority of Comcast-provided residential and business gateways and modems were not impacted by the 'VPNFilter' malware. For the very small number of Comcast-issued devices that may be affected, we are in the process of proactively communicating with those customers and exchanging hardware where needed" So it appears that Comcast routers and modems are OK. As for other providers, I was unable to get any definitive answers. Generally, you cannot patch them yourself, you need to wait for them to do it. I suggest you call them and ask about your modem/router combination and how frequently they patch it. Date: July 2018 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk