All the routers affected by VPNFilter malware

ToxicBunny

Honorary Master
Joined
Apr 8, 2006
Messages
81,697
For all guys using Mikrotiks... apparently the solution is just to upgrade to the latest version of RouterOS.... it closes the holes and removes all traces of VPNFilter as well.
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
66,002
My RB2011 destructed itself anyway, didn't like a power spike.
I see my USG is safe :D
 

The_Librarian

Another MyBB
Super Moderator
Joined
Nov 20, 2015
Messages
21,961
Delink and Stinksys on that list as well.

Never heard of Upvel before.

Got a Mikrotik, updated it, but it is not used atm.
 

sajunky

Honorary Master
Joined
Nov 1, 2010
Messages
13,125
Hardware reset may not remove modifications to a bootloader, but re-flashing the same version should. Sadly, firmware update files are no longer available for download, only by online update and you cannot online update with the same firmware version. See Huawei...
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
66,002
You can't (yet) unless you see dodgy things in your router's logs. Best is to be cautious and handle the router as if infected succesfully.
Put another device between the router and the internet and monitor for connections to known endpoints.

Also, watch for connectivity in your browser being downgraded from HTTPS to HTTP for some sites.
 

Totempole

Expert Member
Joined
Sep 21, 2011
Messages
3,416
You can't (yet) unless you see dodgy things in your router's logs. Best is to be cautious and handle the router as if infected succesfully.
Well, in my case, it's just a cheap old router I was going to be changing out soon anyway.
 

Messugga

Honorary Master
Joined
Sep 4, 2007
Messages
10,409
Put another device between the router and the internet and monitor for connections to known endpoints.

Also, watch for connectivity in your browser being downgraded from HTTPS to HTTP for some sites.
Valid, but not seeing those markers doesn't mean you're not infected.
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
66,002
Valid, but not seeing those markers doesn't mean you're not infected.
Agreed.

Time for the vendors to incorporate some kind of tripwires/antimalware in their firmware. This is a huge hole.

Imagine how awesome the world could be if consumer grade routers filtered out DDoS/spoofed traffic at the source
 

Messugga

Honorary Master
Joined
Sep 4, 2007
Messages
10,409
Agreed.

Time for the vendors to incorporate some kind of tripwires/antimalware in their firmware. This is a huge hole.

Imagine how awesome the world could be if consumer grade routers filtered out DDoS/spoofed traffic at the source
I've actually been wondering about the lack of this sort of precautions, for years. At one point I did a fair amount of programming of PLCs. These devices were doing some important work, but they supported absolutely zero security measures. If someone managed to break into your network, they could go nuts, short of actually reprogramming the PLCs entirely.

It doesn't look like much has changed.
 

WireFree

Well-Known Member
Joined
Oct 23, 2005
Messages
442
+1

I'd like to know this as well.
https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware states:
Q: Do Symantec/Norton products (Win/Mac/NMS) protect against this threat?
A: Symantec and Norton products detect the threat as Linux.VPNFilter.
But there are no websites that reveal how they detect VPNFilter. I guess the only way do detect it is by purchasing their products.

The website also states:
A newly discovered (disclosed on June 6) Stage 3 module known as “ssler” is capable of intercepting all traffic going through the device via port 80, meaning the attackers can snoop on web traffic and also tamper with it to perform man-in-the-middle (MitM) attacks. Among its features is the capability to change HTTPS requests to ordinary HTTP requests, meaning data that is meant to be encrypted is sent insecurely. This can be used to harvest credentials and other sensitive information from the victim’s network. The discovery of this module is significant since it provides the attackers with a means of moving beyond the router and on to the victim’s network.
To intercept port 443 the router would have redirect the request to a local https server with a certificate that is not signed by a valid certificate authority. If you click continue in your browser to the certificate warning the fake web server will need to redirect your https request to http.
 

ambo

Expert Member
Joined
Jun 9, 2005
Messages
2,680
The guys with mass levels of adoption know that their reputation hinges on swiftly fixing these issues. They also gain credibility by applying more secure defaults. This is one of the hidden values in vendors like Cisco.

The new kids on the block like Mikrotik and Ubiquiti are also taking security seriously in recent years which is helping them cement a spot beside the old boys.

There will always be vulnerabilities even in the best software. With the number of shared open source libraries in use - a single bug can have wide spread impact. SSL has been another recent victim of this.

What we really need to worry about is fly-by-night manufacturers who ship thousands of units and never supply any software updates.
 

francs

Active Member
Joined
Jun 28, 2006
Messages
86
I'm going to assume my Telkom Pace 921VNX is compromised and there is very little hope of getting updated firmware for it.
So I thought of doing the following:
1. Reflash the firmware.
2. Turn on Bridged mode, thus bypassing the router functionality of the modem.
3. Setup a firewall appliance/PC/VM, e.g. PFsense, and dial up through it.

So the routing and firewall is taken care of by PFsense and the modem is now just a modem.
This way I have a more "trusted" solution as PFsense seems to be more proactive in updating and addressing security vulnerabilities.

Would this solution work?
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
66,002
I'm going to assume my Telkom Pace 921VNX is compromised and there is very little hope of getting updated firmware for it.
So I thought of doing the following:
1. Reflash the firmware.
2. Turn on Bridged mode, thus bypassing the router functionality of the modem.
3. Setup a firewall appliance/PC/VM, e.g. PFsense, and dial up through it.

So the routing and firewall is taken care of by PFsense and the modem is now just a modem.
This way I have a more "trusted" solution as PFsense seems to be more proactive in updating and addressing security vulnerabilities.

Would this solution work?
Yes.
 
Top