Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (70)
  • add to favourites
    Add to Bookmarks

Don't forget about your router!

Read: 9085 Comments: 4 Rating: 9

Tuesday, September 25, 2018

New entries for Linux.VPNFilter Trojans appear daily in the Dr.Web virus database.


Just what kind of beast are we talking about?

VPNFilter malware infects networking devices, such as routers and network-attached storages (NAS), rather than desktops and laptops.

VPNFilter was discovered in May 2018. This complex malware managed to infect at least a half a million Linksys, MikroTik, NETGEAR and TP-link routers, as well as QNAP storages, in 54 countries.

Why are hackers specifically interested in networking devices? The answer is simple: while personal computers may receive updates every now and then, few people make an effort to download updates for their household networking devices regularly. As a result, attackers don't have to look for new unknown vulnerabilities. Instead, they can pick a loophole the manufacturer already knows about and has even patched (e.g., in a new firmware release), but criminals can still exploit it.

VPNFilter operators do not leverage zero-day vulnerabilities of any kind. Instead, they opt to exploit known, previously discovered software flaws.

Furthermore, situations when updates are never applied provide perpetrators with another advantage. Vulnerability patch release notes often contain information about the very vulnerability being addressed. But even if they don't, an update release gives attackers an opportunity to analyse the patch and find another weak point.

Following the discovery of the VPNFilter botnet, the FBI seized control over the criminal-managed domain. The bureau set up a sinkhole to gain control over the network's command and control server—we talked about that in the issue Fishing for bots. Later, the instructions were published to help router owners get rid of the VPNFilter infection. The malware's authorship was attributed to Russian Fancy Bear hackers, who were also allegedly responsible for the attack on the Democratic National Committee's infrastructure during the US presidential elections in 2016.

As a matter of fact, we didn't write our issue about that just because the agency managed to hijack the server. However, time has shown that we should have gone through with the publication. How badly does a server hijacking cripple a criminal-run business? And how many people would have read our post and taken the appropriate steps to remove the infection? Predictably, the botnet survived, and the cyber crooks behind it keep enrolling other nodes in it.

What do criminals gain from VPNFilter? It lets them monitor data transmitted via the routers and storages. They can fish out passwords from the traffic, inject scripts and ads into webpages being loaded by users, and trigger malware downloads. Or threaten users with a forced network disconnection and demand a ransom.

And rebooting devices—a popular troubleshooting technique among users—doesn't help. VPNFilter survives a system restart.

And it's not only going after home devices…

VPNFilter incorporates a module that intercepts Modbus traffic (the protocol facilitates communication between industry-grade electronic equipment).

Who can be affected?

VPNFilter can infect a large variety of routers and NAS solutions.

  • Asus (RT-AC66U, RT-N10, RT-N10E, RT-N10U, RT-N56U, RT-N66U)
  • D-Link (DES-1210-08P, DIR-300, DIR-300A, DSR-250N, DSR-500N, DSR-1000, DSR-1000N)
  • Huawei (HG8245)
  • Linksys (E1200, E2500, E3000, E3200, E4200, RV082, WRVS4400N)
  • MikroTik (CCR1009, CCR1016, CCR1036, CCR1072, CRS109, CRS112, CRS125, RB411, RB450, RB750, RB911, RB921, RB941, RB951, RB952, RB960, RB962, RB1100, RB1200, RB2011, RB3011, RB Groove, RB Omnitik, STX5)
  • Netgear (DG834, DGN1000, DGN2200, DGN3500, FVS318N, MBRN3000, R6400, R7000, R8000, WNR1000, WNR2000, WNR2200, WNR4000, WNDR3700, WNDR4000, WNDR4300, WNDR4300-TN, UTM50)
  • TP-Link (R600VPN, TL-WR741ND, TL-WR841N)
  • Ubiquiti (NSM2, PBE M5)
  • Upvel (неизвестные модели)
  • ZTE (ZXHN H108N)

Affected network-attached storages:

  • QNAP (TS251, TS439 Pro and other QTS-based solutions)

But new items can appear on the list at any moment.

If you think about it, this is a horrendous threat. You’ve installed an anti-virus and keep it updated. And then you decide to read the news, for example. But chances are that you will only see whatever it is the perpetrators want you to read. And you won't be able to do anything about it since the sites containing instructions on how to deal with the problem suddenly become inaccessible.

#Linux #vulnerability #botnet #router #Parental_Control #malware

The Anti-virus Times recommends

Don't forget about your router!

  1. Disable the option for device remote administration over the Internet as described in the user guide. Make sure that the router is only accessible over the local network.
  2. Set new passwords for the administrator and other available accounts. Make sure that the passwords are unique and strong.
  3. If encryption can be enabled in the device settings, toggle it on.
  4. Update the firmware.

Rebooting a device can help neutralise VPNFilter. We mentioned above that the malware persists after restart. But only one of its three modules survives, while the other two don't. Of course, they can be downloaded again, but before that happens you may be able to go to the manufacturer's site and look for appropriate instructions.

And while this issue was being prepared, this news post appeared:

Researchers with 360 Netlab discovered that attackers managed to gain control over MikroTik routers containing outdated firmware. The attackers leveraged vulnerability CVE-2018-14847, which had been patched in the April update MikroTikOS 6.42.1.

According to 360 Netlab, as many as 370,000 MicroTik devices that haven’t had the vulnerability patched are now connected to the Internet. Over 7,500 devices have had the options for intercepting packets and relaying them to a specific locations enabled. Meanwhile, 239,000 routers have the traffic-forwarding option toggled on.

Security experts also registered a failed attempt to engage users in cryptocurrency mining.

By the way, here is another incident involving malicious JavaScript code at So don't forget that you can use the Dr.Web Parental Control to block access to bogus sites.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.