Vpn Filter Malware: Infect more than half a million routers with VPNFilter malware; Learn how to work and fix it.
In early June, Cisco announced that more than 500,000 routers and network equipment had been infected with the VPNFilter malware, it’s now clear that this malware that Russia has been developing is more dangerous than it was thought.
Recently, researchers at the Cisco Security Team have said that the malware has affected a wider variety of network equipment; models that were previously thought to be uninfluenced.
What are the VPNFilter plugins?
This malware has a variety of plugins, which we will mention in the following:
- The ssler, which is called Sler, is used to track and manipulate the web traffic on port 80 and to attack the middle man , which we will further explain in more detail.
- dstr is a plug-in to rewrite the file’s form. Cisco has found that VPNFilter can erase the device’s form, however, it’s now revealed that this feature is dedicated to the third stage of the attack, which we will further discuss.
- ps is a plug-in that can tweak packets of the network and remove some types of network traffic. Cisco believes that this plugin can be used for special modular packages that are specifically used in SCADA industrial applications. However, there has recently been evidence of the use of this plug-in for monitoring industrial equipment via VPN on the R600 TP-Link Router.
- Tor, a plug-in for use by VPNFilter bots in order to communicate with servers through torr networks.
How does VPNFilter work?
Among the newly discovered VPNFilter capabilities, the ssler module is the most significant one that affects traffic received from the web. Hackers can be in the middle of exchanging information and injecting their malicious information into traffic and passing through the infected router.
This malicious information can be designed to target a specific device that is attached to an infected router. The slider can also be used to manipulate data delivered by websites.
The slider is also designed to steal sensitive data exchanged by a device that’s connected to the outside of the Internet. The module actively scans the web addresses to locate passwords and other sensitive information, and sends them to the target servers of the attackers (even now that more than two weeks after the hackers’ servers are shut down, ).
To circumvent TLS encryption In fact, designed to deal with such attacks, Slur tries to reduce the HTTPS encrypted protocol connections to HTTP -based text traffic (without encryption).After that, the request header changes the data packet so that the endpoint of the connection is not able to use the encrypted connection.
Until now, VPNFilter was intended to attack home-office routers, switches, and storage devices connected to the network. While now (in the methods described above) it is known that the main purpose of this malware is to attack the owners of the routers.
According to Craig Williams, chief technology officer at Talus Security Corporation (from Cisco subsystems), the malware discussed can change the balance of your bank account, and even any data that you get out of or out of your device. You can manipulate.
Talos announced that devices that are vulnerable to VPNFilter are more diverse than previously thought. It is estimated that 200,000 more routers will be added to the previous 500,000.You can see the list of all devices that have been detected so far:
Other storage devices that are connected to the KyongPlay network that run the QTS software
An unspecified model
The new malware is completely targeted
One study found that the data traffic of specific control systems that were connected to the R600 TP-Link router VPN network were monitored. Additionally, the eavesdropping module is discussed in conjunction with the IP address assignments assigned. Also, data packets of 150 bytes or more have been monitored by malware.
Williams believes that they (hackers) are looking for very special things and they do not intend to collect anything they can from the network, and in fact they are looking for things like passwords and certificates. He said he is currently trying to figure out who uses the malware.
Steps to operate VPNFilter
The report details the self-destruct module that can automatically remove the VPNFilter footprint from the device. It has been previously mentioned that it is possible to prevent VPNFilter from rebooting routers, but reports show that botnets (networks consisting of a set of computers used by attackers to perform malicious activities) ) Associated with it is still active.
Williams believes that the reason for this is the deliberate division of the malware; in the first step it acts as a back door,and one of the few well-known parts of it can also survive the process of rebooting the router. Take away The second and third steps also provide advanced features for male intermediate attacks and self-destruct capabilities, which will start the process of installing malware every time the router is robotically rolled out.
In order to comply with this limitation, the first step relies on a sophisticated mechanism to find servers for which the information is available for the second and third stages.Initially, this information was placed on a website that, after it was blocked, VPNFilter used an alternative website.
However, devices that were infected before the initial web site was blocked can be exploited by hackers and manually installed VPNFilter on the router. Hundreds of thousands of routers are still infected with the first, and perhaps second, third ones.
Is there a way to find out if the router is infected and removed?
Unfortunately there is no easy way to do this. One method is to look up logs on the router to find a sample of the cases cited in the Cisco report .
The other case is the reverse engineering of the router’s form or, at least, the receipt of the image from the router and its comparison with the sample is allowed in order to determine its possible changes. Both of these methods are beyond the control of many router owners. It should be noted that the researchers still do not know how the routers are infected in the first stage.
The complete process of clearing the device varies depending on the model. In some models, information about the first step can be cleared by pressing the reset key behind the device and returning to the factory settings. To do this, note that in many routers, pressing this key quickly resets only the device, and to keep it to factory settings, it should be kept as high as indicated on the router’s notebook (for example, more than 5 Or 10 seconds).
On some models, you must reboot the router and quickly install the latest official version of the web form. Maybe you’re finally having to buy a new router.
Router users must always switch their router’s default passwords and, if possible, remote admin access. In addition, you can use a firewall before the router to provide higher security. Williams has said that there is still no evidence of contamination with the customized version of Tomato, Merlin WRT and DD-WRT with VPNFilter, but their potential for contamination is not ruled out.
Earlier, the FBI had announced that VPNFilter would be disabled by rebooting the routers, but according to a recent report, Williams believes that the FBI is causing a false sense of security and that VPNFilter is still operational, and more devices than originally It was thought to have contaminated.