Windows News and info 15th Anniversary 2009-2024

Windows 11 | Windows 10 Modifying => Patch Tuesday| Updates | Security | Privacy | Anti-virus => Topic started by: javajolt on May 31, 2018, 05:06:55 AM

Title: Reboot Your Router to remove VPNFilter? Why It's Not Enough
Post by: javajolt on May 31, 2018, 05:06:55 AM
(http://s15.postimg.cc/b73jkg4uz/VPNFilter-2.jpg)
After it was reported that the VPNFilter botnet consisting of over 500,000 routers and NAS devices was taken over by the US government, the FBI issued an advisory stating that users should reboot their routers in order to disrupt the malware.

Unfortunately, as shown by the five phone calls I received today, many people heard the reboot part but did not read the rest of the recommendations of turning off remote administration, changing passwords, and upgrading to the latest firmware. One step that was not mentioned is the fact that the only way to truly remove VPNFilter is to reset the router to factory defaults.

Due to this, people are just resetting their routers but leaving part of the malware still present after it is rebooted. With that said, I have put together a guide on VPNFilter, what the FBI advisory (http://www.ic3.gov/media/2018/180525.aspx) is about, and the steps you should perform to clean and secure your router.

What is VPNFilter?

VPNFilter is malware that targets routers and NAS devices in order to steal files, information, and examine network traffic as it flows through the device. When the malware is installed, it will consist of three different stages, with each stage performing specific functions.

Stage 1 is installed first and allows the malware to stay persistent even when the router is rebooted.

Stage 2 allows the attackers execute commands and steal data. This stage also contains a self-destruct ability that essentially makes the router, and thus your network connection, non-functional.

Stage 3 consists of various plugins that can be installed into the malware that allow it to perform different functions such as sniff the network, monitor SCADA communication, and to communicate over TOR.

While Stage 1 will run again after a router is rebooted, Stage 2 and 3 will not.

For this reason, the FBI has suggested that everyone reboot their router in order to disable Stage 2 and Stage 3 and to also allow the FBI to get a list of infected victims and the types of routers that are affected.

Routers that are known to be affected by VPNFilter

According to reports from Cisco, Symantec, and the Security Service of Ukraine, the affected routers are:

• Linksys E1200

• Linksys E2500

• LinkSys WRVS4400N

• Mikrotik RouterOS Versions for Cloud Core Routers: 1016, 1036, 1072

• Netgear DGN2200

• Netgear R6400

• Netgear R7000

• Netgear R8000

• Netgear WNR1000

• Netgear WNR2000

• QNAP TS251

• QNAP TS439 Pro

• Other QNAP NAS devices running QTS software;

• TP-Link R600VPN

While the above are the currently known routers that can be infected with VPNFilter, there is no guarantee that they are the only ones. Therefore, everyone should follow the below recommendations to harden and secure their routers regardless of the make and manufacturer.

Can you tell if your router is infected with VPNFilter?

Unfortunately, there is no easy way to tell if your router is infected with VPNFilter.

If you are concerned or suspect, that your router is infected with VPNFilter you should perform the suggestions below.

Will rebooting the router really remove the VPNFilter infection?

The short answer is yes and no. Rebooting the router will unload the Stage 2 and Stage 3 components of VPNFilter, but Stage 1 will start again after the router reboots. So while the most malicious components will be disabled, VPNFilter will still be present on your device.

The only real way to fully remove this infection is to reset your router back to factory defaults, which will also reboot the router. Unfortunately, this process will require you to setup your router again, add an admin password, and setup any wireless networks that are configured.

The full steps you should take to remove VPNFilter and protect your router are listed below.

How to remove VPNFilter and protect your router or NAS

To completely remove VPNFilter and protect your router from being infected again, you should follow these steps:

1. Reset Router to Factory Defaults: Linksys (http://www.linksys.com/eg/support-article?articleNum=139791) * Netgear (http://kb.netgear.com/9665/How-do-I-perform-a-factory-reset-on-my-NETGEAR-router) * MikroTik (http://www.mikrotik.com.my/reset-to-factory-default-settings/) * QNAP (http://www.qnap.com/en/how-to/knowledge-base/article/the-different-ways-of-resetting-your-nas-explained) * TP-Link (http://www.tp-link.com/ae/faq-497.html)

2. Upgrade to the latest firmware: Linksys (http://www.linksys.com/nz/support-article?articleNum=140365) * Netgear (http://kb.netgear.com/000053880/How-to-update-firmware-on-your-NETGEAR-product) * MikroTik (http://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS) * QNAP (http://www.qnap.com/en/how-to/tutorial/article/how-to-update-your-qnap-nass-firmware) * TP-Link (http://www.tp-link.com/ae/faq-688.html)

3. Change the default admin password: Linksys (http://www.linksys.com/gr/support-article?articleNum=136612) * Netgear (http://kb.netgear.com/20026/How-do-I-change-the-admin-password-on-my-NETGEAR-router) * MikroTik (http://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#Access_password) * QNAP (http://www.sbsfaq.com/?p=3218&doing_wp_cron=1527734549.9036970138549804687500) * TP-Link (http://www.tp-link.com/us/faq-73.html)

4. Disable Remote Administration: Linksys (http://www.linksys.com/us/support-article?articleNum=133184) * Netgear (http://kb.netgear.com/20600/Configuring-Remote-Management-on-a-NETGEAR-Router) * MikroTik (http://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#Router_services) * QNAP (http://www.qnap.com/en/how-to/faq/article/how-to-make-your-turbo-nas-more-secure) * TP-Link (http://www.tp-link.com/ae/faq-308.html)
The Linksys and Netgear links are for enabling remote administration, which we do not want to do. I only listed them as it shows how to get to a page where you can check if it's enabled or not. Typically, remote administration is disabled by default.

Advisories from router manufacturers regarding VPNFilter can be found at Linksys (http://community.linksys.com/t5/Wireless-Routers/VPNFilter-Malware-Update/td-p/1315372) * MikroTik (http://forum.mikrotik.com/viewtopic.php?t=134776) * Netgear (http://kb.netgear.com/000058814/Security-Advisory-for-VPNFilter-Malware-on-Some-Routers) * QNAP (http://www.qnap.com/en-us/security-advisory/NAS-201805-24) * TP-Link (http://www.tp-link.com/us/faq-2212.html)

While these steps will remove the VPNFilter infection and protect you from current known threats, they are not going to protect you forever. As new exploits are discovered in the current firmware, your routers will become vulnerable again.

Therefore, it is always important to check for new firmware updates and install them when they come out.

Should you reset your router even if it's not one of the listed ones?

This is a tough one. On one hand, its always better to be safe than sorry. On the other, for some it can be very difficult to configure a router from scratch.

With that said, I do suggest that you follow these steps as its only a good thing to have your router running the latest firmware and the other steps only further protect your device.

Update 5/30/18: Added advisories from router manufacturers and info for MikroTik.

source (http://www.bleepingcomputer.com/news/security/reboot-your-router-to-remove-vpnfilter-why-its-not-enough/)