How to Identify and Fix VPNFilter Malware Now

Not all malware are created equal. One proof of this is the existence of VPNFilter malware, a new breed of router malware that has destructive properties. One distinct characteristic it has is it can survive reboot, unlike most other Internet of Things (IoT) threats.

Let this article guide you through identifying the VPNFilter malware as well as its list of targets. We will also teach you how to prevent it from wreaking havoc on your system in the first place.

What Is VPNFilter Malware?

Think of VPNFilter as destructive malware that threatens routers, IoT devices, and even network-attached storage (NAS) devices. It’s considered a sophisticated modular malware variant that mainly targets networking devices from different manufacturers.

Initially, the malware was detected on Linksys, NETGEAR, MikroTik, and TP-Link network devices. It was discovered in QNAP NAS devices, too. To date, there are about 500,000 infections in 54 nations, demonstrating its massive reach and presence.

Cisco Talos, the team that exposed VPNFilter, provides an extensive blog post on the malware and technical details around it. From the looks of it, networking equipment from ASUS, D-Link, Huawei, UPVEL, Ubiqiuiti, and ZTE have signs of infection.

Unlike most other IoT-targeted malware, VPNFilter is difficult to eliminate since it persists even after a system reboot. Proving vulnerable to its attacks are devices that use their default login credentials, or those with known zero-day vulnerabilities that haven’t had firmware updates yet.

Devices Known to Be Affected By VPNFilter Malware

Both enterprise and small office or home office routers are known to be a target of this malware. Take note of the following router brands and models:

• Asus RT-AC66U
• Asus RT-N10
• Asus RT-N10E
• Asus RT-N10U
• Asus RT-N56U
• Asus RT-N66U
• D-Link DES-1210-08P
• D-Link DIR-300
• D-Link DIR-300A
• D-Link DSR-250N
• D-Link DSR-500N
• D-Link DSR-1000
• D-Link DSR-1000N
• Linksys E1200
• Linksys E2500
• Linksys E3000
• Linksys E3200
• Linksys E4200
• Linksys RV082
• Huawei HG8245
• Linksys WRVS4400N
• Netgear DG834
• Netgear DGN1000
• Netgear DGN2200
• Netgear DGN3500
• Netgear FVS318N
• Netgear MBRN3000
• Netgear R6400
• Netgear R7000
• Netgear R8000
• Netgear WNR1000
• Netgear WNR2000
• Netgear WNR2200
• Netgear WNR4000
• Netgear WNDR3700
• Netgear WNDR4000
• Netgear WNDR4300
• Netgear WNDR4300-TN
• Netgear UTM50
• MikroTik CCR1009
• MikroTik CCR1016
• MikroTik CCR1036
• MikroTik CCR1072
• MikroTik CRS109
• MikroTik CRS112
• MikroTik CRS125
• MikroTik RB411
• MikroTik RB450
• MikroTik RB750
• MikroTik RB911
• MikroTik RB921
• MikroTik RB941
• MikroTik RB951
• MikroTik RB952
• MikroTik RB960
• MikroTik RB962
• MikroTik RB1100
• MikroTik RB1200
• MikroTik RB2011
• MikroTik RB3011
• MikroTik RB Groove
• MikroTik RB Omnitik
• MikroTik STX5
• TP-Link R600VPN
• TP-Link TL-WR741ND
• TP-Link TL-WR841N
• Ubiquiti NSM2
• Ubiquiti PBE M5
• Upvel Devices -unknown models
• ZTE Devices ZXHN H108N
• QNAP TS251
• QNAP TS439 Pro
• Other QNAP NAS devices running QTS software

A common denominator among most of the targeted devices is their use of default credentials. They also have known exploits, especially for older versions.

What Does VPNFilter Malware Do to Infected Devices?

VPNFilter works to cause debilitating damage to affected devices as well as serve as a data collection method. It works in three stages:

Stage 1

This marks installation and maintaining a persistent presence on a target device. The malware will contact a command and control (C&C) server in order to download additional modules and await instructions. At this phase, there are multiple built-in redundancies to locate Stage 2 C&Cs in case an infrastructure change occurs while the threat is deployed. Stage 1 VPNFilter can withstand a reboot.

Stage 2

This features the main payload. While it’s unable to persist through a reboot, it has more capabilities. It is able to collect files, execute commands, and perform data exfiltration and device management. Continuing on its destructive effects, the malware can “brick” the device once it receives a command from attackers. This is executed through overwriting a part of the device firmware and subsequent rebooting. The criminal acts make the device unusable.

Stage 3

Several known modules of this exist and act as plugins for Stage 2. These comprise a packet sniffer to spy on traffic routed through the device, enabling website credential theft and tracking of Modbus SCADA protocols. Another module lets Stage 2 securely communicate via Tor. Based on the Cisco Talos investigation, one module provides malicious content to traffic that passes through the device. This way, attackers can further affect connected devices.

On June 6, two more Stage 3 modules were exposed. The first one is called “ssler,” and it can intercept all traffic passing through the device using port 80. It allows attackers to view the web traffic and intercept it to execute man in the middle attacks. It can, for instance, change HTTPS requests to HTTP ones, sending supposedly encrypted data insecurely. The second one is dubbed “dstr,” which incorporates a kill command to any Stage 2 module lacking this feature. Once executed, it will eliminate all traces of the malware before it bricks the device.

Here are seven more Stage 3 modules revealed on September 26:

• htpx – It works just like ssler, redirecting and inspecting all HTTP traffic going through the infected device in order to identify and log any Windows executables. It can Trojan-ize executables while going through infected routers, which let attackers install malware on various machines connected to the same network.
• ndbr – This is deemed a multi-function SSH tool.
• nm – This module is a network mapping weapon for scanning the local subnet.
• netfilter – This denial of service utility can block access to some encrypted apps.
• portforwarding – It forwards network traffic to infrastructure determined by attackers.
• socks5proxy – It enables a SOCKS5 proxy to be established on vulnerable devices.

Origins of VPNFilter Revealed

This malware is likely the work of a state-sponsored hacking entity. Initial infections were primarily felt in Ukraine, easily attributing the act to the hacking group Fancy Bear and Russian-backed groups.

This, however, illustrates the sophisticated nature of VPNFilter. It cannot be associated with a clear origin and a specific hacking group, and someone is yet to step forward to claim responsibility for it. A nation-state sponsor is being speculated since SCADA alongside other industrial system protocols have comprehensive malware rules and targeting.

If you were to ask the FBI, though, VPNFilter is the brainchild of Fancy Bear. Back in May 2018, the agency seized the ToKnowAll.com domain, thought to be instrumental in installing and commanding Stage 2 and 3 VPNFilter. The seizure helped halt the spread of the malware, but it failed to tackle the main source.

In its May 25 announcement, the FBI issues an urgent request for users to reboot their Wi-Fi routers at home to stop a big foreign-based malware attack. At that time, the agency pinpointed foreign cybercriminals for compromising small office and home Wi-Fi routers – along with other network devices – by the hundred thousand.

I’m Just An Ordinary User – What Does the VPNFilter Attack Means to Me?

The good news is your router isn’t likely to be harboring the pestering malware if you checked the VPNFilter router list we provided above. But it is always best err on the side of caution. Symantec, for one, runs the VPNFilter Check so you can test if you’re affected or not. It only takes a few seconds to run the check.

Now, here’s the thing. What if you’re actually infected? Explore these steps:

• Reset your router. Next, run the VPNFilter Check once again.
• Reset your router to its factory settings.
• Consider disabling any remote management settings on your device.
• Download the most updated firmware for your router. Complete a clean firmware install, ideally without the router making an online connection while the process is underway.
• Complete a full system scan on your computer or device that has been connected to the infected router. Don’t forget to use a reliable PC optimizer tool to work in conjunction with your trusted malware scanner.
• Secure your connections. Get yourself protected with a high-quality paid VPN with a track record of topnotch online privacy and security.
• Get in the habit of changing the default login credentials of your router, as well as other IoT or NAS devices.
• Have a firewall installed and properly configured to keep the bad stuff out of your network.
• Secure your devices with strong, unique passwords.
• Enable encryption.

If your router is potentially affected, it may be a good idea to check with the manufacturer’s website for any new information and steps to take to protect your devices. This is an immediate step to take, since all your information goes through your router. When a router is compromised, your devices’ privacy and security are at stake.

Summary

The VPNFilter malware might as well be one of the strongest and most indestructible threats to hit enterprise and small office or home routers in recent history. It was initially detected on Linksys, NETGEAR, MikroTik, and TP-Link network devices and QNAP NAS devices. You can find the list of affected routers above.

VPNFilter cannot be ignored after initiating some 500,000 infections in 54 countries. It works in three stages and renders routers inoperable, collects information that passes through the routers, and even blocks network traffic. Detecting as well as analyzing its network activity remains a difficult undertaking.

In this article, we outlined ways to help defend yourself from the malware and the steps you can take if your router has been compromised. The consequences are dire, so you should never sit on the important task of checking your devices.