VPNFilter Malware
was identified by Cisco’s Talos cyber intelligence agency. They believe this is a likely state sponsored software program that is infecting standard home based routers. Infected machines have been found in 54 countries. These retail off the shelf routers do not use anti virus programs to protect the device from attack. Intrusion detection is also not built into these devices. But the most glaring error is the fact most of these devices are running with default usernames and passwords. Our home and small business routers are providing a big security opportunity for the bad actors on the Internet.
FBI request
On May 23rd the Justice department issued a press release asking for firewalls and network storage devices to be rebooted. The FBI seized one of the command and control domain names that this bot network uses. Rebooting your home or small business router helps the FBI locate infected devices. The FBI is monitoring the traffic on the bot network from the command and control domain they captured. Rebooting your device does not clear the problem with malware on your router or network storage device. The device has been compromised. Remediation is necessary.
Fixing your home router
Some of the software that runs your router has been altered. The machine can not be trusted to send and receive information on the Internet. Talos research now shows that the second level software that is downloaded after infection has the ability to scan all packets going through the device. That means do not use your credit card to purchase anything on the Internet. This is why Amazon stores your credit card information with your account.
What to do
- Find your router manufacturer and model number. Using the table at the end of this blog check to see if your equipment is on the list of possibly compromised devices.
- If your router is on the list remove the power cable from the back of the router. Wait one minute and plug the cable back in. Wait two to five minutes for the router to be operational again. This is the FBI step. The FBI will collect information from your machine if it is infected to aid their investigation.
- Check your router model number. Google this model number to find your user manual. Open the user manual and find the section about the default password on the device.
- Chances are that you will access your router from a web browser. Open a new browser window. Type 192.168.0.1 in the address bar at the top of the window. Wait for a response. If this times out try the address 192.168.1.1 in the address bar. One of these addresses should work with your router.
- Use your default username and/or password to access your router.
- Go back to the manual and locate how to change the default password.
- Now check the manual for how to disable remote access to the router settings.
- Open a new tab in your web browser. Search for the current firmware for your router on Google. Download this software.
- Check the user manual for the procedure to upload this firmware to your router. Replace your current compromised firmware with the freshly downloaded manufacture’s firmware.
- Reboot your router to load the new clean updated firmware into the router memory.
Firewall replacement
One easy fix is replace your network router that you have had for the last six to ten years with a current model. A new router off the retail shelf is probably not compromised. It still has the same flaws as your ten year old router. No anti-virus on the software that runs the device and no anti-intrusion software. Router prices range from $90 to $350. During the installation change the default password and turn off remote support. Check the user manual for help with this.
Another option is to buy a used router with OpenWRT, DD-Wrt, Tomato, Lede alternative firmware. The factory firmware on Linksys routers was taken from the open source software sources. Anyone can use and modify this software to improve performance, security, or add software options. Several freelancers have made great improvements to standard router firmware.
If you have an old computer you can convert that machine to a true home next generation firewall. The Sophos XG home firewall protects you from viruses, malware, intrusion protection, and phishing web sites. This is a full product that gives you the same protection large corporations use to protect their offices. A VPN server is included to give you safe internet browsing when you are using a public WiFi when you are away from home. You will need a second network card for the old computer. Now you can stop threats at the Internet gateway to your home. Sophos uses a dual anti-virus scanning engine for double protection from online threats.
With the routers like these models you can add a filter to stop malware, viruses and annoying Internet ads with a RaTtrap. Rattrap connect between your cable or DSL modem and your router. A RaTtrap device continuously receives threat information from RaTtrap security center online to protect you from current threats.
With so many options which one will you choose?
Upgrade your own router
To eliminate the security problems with factory installed firmware you can use third party software to solve security problems. DD-wrt, OpenWrt, Tomato, DEBwrt, HyperWRT are all open source firmware projects that create better solutions for many retail routers. Web sites for the firmware gives detailed instructions to install the new firmware on the routers. Below is a list of routers that can be upgraded using DD-wrt, Tomato or OpenWrt.
Affected Routers to Upgrade | ||
---|---|---|
Asus | Linksys | NetGear |
RT-10 | E1200 | R7000 |
RT-10U | E2500 | R8000 |
RT-N56U | E3000 | R8000 |
RT-N66U | E3200 | WNDR4000 |
E4200 | WNDR4300 |
Brands and models affected by VPNfilter
Asus Devices | DLink Devices | Linksys Devices | NetGear Devices |
---|---|---|---|
RT-AC66U | DES-1210-08P | E1200 | DG834 |
RT-N10 | DIR-300 | E2500 | DGN1000 |
RT-N10E | DIR-300A | E3000 | DGN2200 |
RT-N10U | DSR-250N | E3200 | DGN3500 |
RT-N56U | DSR-500N | RV082 | MBRN3000 |
RT-N66U | DSR-1000 | WRVS4400N | R6400 |
DSR-1000N | R7000 | ||
R8000 | |||
Qnap Devices, | TP-Link Devices | Ubiquiti Devices | WNR1000 |
TS251 | R600VPN | NSM2 | WNR2000 |
TS439 | TL-WR741ND | PBE M5 | WNR2200 |
running QTS software | TL-WR841N | WNR4000 | |
WNDR3700 | |||
Mikrotik Devices | Upvel Devices | ZTE Devices | WNDR4000 |
CCR1009 | Unknown models | ZXHN H108N | |
CCR1016 | Huawei | ||
CCR1036 | HG8245 | ||
CCR1072 | |||
CRS109 | |||
CRS112 | |||
CRS125 | |||
RB411 | |||
RB450 | |||
RB750 | |||
RB911 | |||
RB921 | |||
RB941 | |||
RB951 | |||
RB952 | |||
RB960 | |||
RB962 | |||
RB1100 | |||
RB1200 | |||
RB2011 | |||
RB3011 | |||
RB Groove | |||
RB Omnitik | |||
STX5 |