It's been a busy few days for a sophisticated piece of botnet malware dubbed VPNFilter.
First, the Secret Service of Ukraine issued a warning about a botnet that had taken over 500,000 routers and Network Attached Storage (NAS) devices, infecting them with some of the most sophisticated malware ever seen used in a botnet.
Then, Cisco Talos and Symantec issued a descriptive warning about the situation and the malware which two firms called VPNFilter. The botnet was seen growing, and exhibited curious behavior in that it seemed to be seeking Ukrainian hosts -- even though Talos found that it spread to 54 countries.
Finally, in a surprise move late May 23, journalist Kevin Paulson tweeted that the FBI had seized control of the ability of the malware to regenerate itself after a reboot was performed on the host. The feds were able to do this when a court gave it control of one of the domains that was used as an hard-coded emergency backup control server by the malware.
A diagram of the VPNFilter botnet malware in action
(Source: Cisco Talos)
This allowed them to stop the Stage 2 and Stage 3 downloads from staring.
VPNFilter is a three-stage attack that allows persistence of infection by a first stage that reloads the malware after a reboot which normally will erase the malware. This is an extremely sophisticated technique that has only been seen once before in botnet malware.
The second stage has the main payload. This allows for file collection, command execution, data exfiltration, and device management. Worryingly, there is a destructive capability that can effectively "brick" the device if it receives a command from the attackers. It does this by overwriting a section of the device's firmware and then rebooting, which makes it unusable.
Stage 3 consists of plugins that work with the second stage.
There is another seemingly unique capability -- a packet sniffer for spying on traffic that is routed through the device. The sniffer can carry out the theft of website credentials, as well as the monitoring of Modbus SCADA protocols. There may be other modules for Stage 3 that have haven't been seen yet.
That Supervisory Control and Data Acquisition (SCADA) monitoring is the giveaway as to what this malware is all about. These modules are the gateways to the infrastructure of a country. The ability to cause these gateways to fail without recovery -- not to mention the routers the malware is hosted on -- would be devastating.
The sophistication and targeting of the malware makes it all but inevitable that a nation-state has created it. The recent Ukranian targeting, as well as the setup of a C&C server just for Ukranian sites, makes it probable that Russia is the originator. This follows previous attempts Russia made against Ukraine's infrastructure, according to the US Department of Homeland Security.
If a user finds the malware, Cisco found that rebooting will wipe Stage 2 and 3 but not Stage 1. Stage 1 can then reload Stages 2 and 3.
Stage 1 removal may require a hardware reset on the device which can also remove any stored configuration settings.
However, with the FBI taking control of the Stage 1 reload process, the back of the botnet has been broken. The threat to the Ukrainian infrastructure has been reduced greatly, unless Russia gets a second version out the door in short order. Even with the interdiction by the FBI, users need to remove all traces of the malware to be reasonably assured of safety from the current threat.
Symantec found the malware on the following devices:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN
Netgear is also advising customers that -- in addition to applying the latest firmware updates and the always useful changing of default passwords -- they should ensure that remote management is turned off on their router. Remote management should be turned off by default and can only be turned on using the router's advanced settings.
This is state cyberwar, brought to the user level. Even though this particular skirmish seems to have been won by the "GoodGuys," simply having a commodity device like a router can make one a participant in it. Perhaps this will make those who think security is for someone else realize that if you aren't part of the solution -- you are definitely part of the problem.
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.