VPNFilter Malware

dlink linksys netgear qnap huawei logos VPNfilter malware effected brands

VPNFilter Malware

dlink linksys netgear qnap huawei logos VPNfilter malware effected brandswas identified by Cisco’s Talos cyber intelligence agency.  They believe this is a likely state sponsored software program that is infecting standard home based routers.  Infected machines have been found in 54 countries.   These retail off the shelf routers do not use anti virus programs to protect the device from attack.  Intrusion detection is also not built into these devices.  But the most glaring error is the fact most of these devices are running with default usernames and passwords. Our home and small business routers are providing a big security opportunity for the bad actors on the Internet.

FBI request

On May 23rd the Justice department issued a press release asking for firewalls and network storage devices to be rebooted.  The FBI seized one of the command and control domain names that this bot network uses.  Rebooting your home or small business router helps the FBI locate infected devices.  The FBI is monitoring the traffic on the bot network from the command and control domain they captured.  Rebooting your device does not clear the problem with malware on your router or network storage device.  The device has been compromised.  Remediation is necessary.

Fixing your home router

Some of the software that runs your router has been altered.  The machine can not be trusted to send and receive information on the Internet.  Talos research now shows that the second level software that is downloaded after infection has the ability to scan all packets going through the device.  That means do not use your  credit card to purchase anything on the Internet.  This is why Amazon stores your credit card information with your account.

What to do

  • Find your router manufacturer and model number.  Using the table at the end of this blog check to see if your equipment is on the list of possibly compromised devices.
  • If your router is on the list remove the power cable from the back of the router.  Wait one minute and plug the cable back in.  Wait two to five minutes for the router to be operational again.  This is the FBI step.  The FBI will collect information from your machine if it is infected to aid their investigation.
  • Check your router model number.  Google this model number to find your user manual.  Open the user manual and find the section about the default password on the device.
  • Chances are that you will access your router from a web browser.  Open a new browser window.  Type 192.168.0.1 in the address bar at the top of the window.  Wait for a response.  If this times out try the address 192.168.1.1 in the address bar.  One of these addresses should work with your router.
  • Use your default username and/or password to access your router.
  • Go back to the manual and locate how to change the default password.
  • Now check the manual for how to disable remote access to the router settings.
  • Open a new tab in your web browser.  Search for the current firmware for your router on Google.  Download this software.
  • Check the user manual for the procedure to upload this firmware to your router. Replace your current compromised firmware with the freshly downloaded manufacture’s firmware.
  • Reboot your router to load the new clean updated firmware into the router memory.

Firewall replacement

One easy fix is replace your network router that you have had for the last six to ten years with a current model.  A new router off the retail shelf is probably not compromised.   It still has the same flaws as your ten year old router.  No anti-virus on the software that runs the device and no anti-intrusion software.  Router prices range from $90 to $350. During the installation change the default password and turn off remote support.  Check the user manual for help with this.

Another option is to buy a used router with OpenWRT, DD-Wrt, Tomato, Lede alternative firmware.  The factory firmware on Linksys routers was taken from the open source software sources.  Anyone can use and modify this software to improve performance, security, or add software options.  Several freelancers have made great improvements to standard router firmware.

If you have an old computer you can convert that machine to a true home next generation firewall.  The Sophos XG home firewall protects you from viruses, malware, intrusion protection, and phishing web sites.  This is a full product that gives you the same protection large corporations use to protect their offices.  A VPN server is included to give you safe internet browsing when you are using a public WiFi when you are away from home. You will need a second network card for the old computer.  Now you can stop threats at the Internet gateway to your home. Sophos uses a dual anti-virus scanning engine for double protection from online threats.

With the routers like these models you can add a filter to stop malware, viruses and annoying Internet ads with a RaTtrap. Rattrap connect between your cable or DSL modem and your router.   A RaTtrap device continuously receives threat information from RaTtrap security center online to protect you from current threats.

With so many options which one will you choose?

Upgrade your own router

To eliminate the security problems with factory installed firmware you can use third party software to solve security problems. DD-wrt, OpenWrt, Tomato, DEBwrt, HyperWRT are all open source firmware projects that create better solutions for many retail routers. Web sites for the firmware gives detailed instructions to install the new firmware on the routers. Below is a list of routers that can be upgraded using DD-wrt, Tomato or OpenWrt.

Affected Routers to Upgrade
Asus Linksys NetGear
RT-10 E1200 R7000
RT-10U E2500 R8000
RT-N56U E3000 R8000
RT-N66U E3200 WNDR4000
E4200 WNDR4300

Brands and models affected by VPNfilter

Asus Devices DLink Devices Linksys Devices NetGear Devices
RT-AC66U DES-1210-08P E1200 DG834
RT-N10 DIR-300 E2500 DGN1000
RT-N10E DIR-300A E3000 DGN2200
RT-N10U DSR-250N E3200 DGN3500
RT-N56U DSR-500N RV082 MBRN3000
RT-N66U DSR-1000 WRVS4400N R6400
DSR-1000N R7000
R8000
Qnap Devices, TP-Link Devices Ubiquiti Devices WNR1000
TS251 R600VPN NSM2 WNR2000
TS439 TL-WR741ND PBE M5 WNR2200
running QTS software TL-WR841N WNR4000
WNDR3700
Mikrotik Devices Upvel Devices ZTE Devices WNDR4000
CCR1009 Unknown models ZXHN H108N
CCR1016 Huawei
CCR1036 HG8245
CCR1072
CRS109
CRS112
CRS125
RB411
RB450
RB750
RB911
RB921
RB941
RB951
RB952
RB960
RB962
RB1100
RB1200
RB2011
RB3011
RB Groove
RB Omnitik
STX5