This past weekend the FBI issued a warning about a new malware (MALicious softWARE) called VPNFilter that is infecting routers and which creates the VPNFilter botnet. Here is a link to the FBI news release:
https://www.ic3.gov/media/2018/180525.aspx
The FBI’s recommendation was for everyone to “reboot” their routers to temporarily disrupt this threat. Well, since this started blowing up the Internet last Friday I have been researching it. Here’s Knights’ Quest’s take on it!Yes, the FBI says to reboot. Unfortunately, many technical sites are saying this may not be sufficient in the long term. Here’s why:
VPNFilter installs in stages:
Stage I: This installs the first bit of malware and allows the malware to live in the router, even after a reboot. It then goes out to a “botnet” to get the rest of the Malware.
Stage 2: This allows the hackers to take control of the router as well as steal data (account logins, etc.). There is also a “bomb” in Stage 2 that allows the hacker to execute a “self-destruct”, thereby cutting you off from the Internet and making you go buy a new router.
Stage 3: This stage allows the hackers to install additional software, called plugins, in order to increase the malware’s functionality.
Rebooting your router by cycling the power only removes Stages 2 & 3. Stage 1 remains in the router and can resurface at a later time. The reason the FBI only wants a reboot at this time is so they can determine who is infected and which routers are vulnerable. This is possible because the FBI has taken over the hackers’ botnet, especially the domain used to supply Stages 2 & 3. When Stage 1 reactivates after you reboot it your router will contact the domain (trying to download Stage 2) and then the FBI can collect very useful data about the infected routers. They will share this information with other high-level security organizations, both governmental and private/non-profit. But, some sites have raised the question of whether Stage 1 is confirmed to only use one domain to get Stages 2 & 3.
Who Is At Risk?
Currently, only a limited number of routers have confirmed vulnerabilities but the list could grow.
Cisco’s Talos section, who seems to be the lead in all of this, has reported the following:
Known Affected Devices
The following devices are known to be affected by this threat. Based on the scale of this research, much of our observations are remote and not on the device, so it is difficult to determine specific version numbers and models in many cases. It should be noted that all of these devices have publicly known vulnerabilities associated with them.
Given our observations with this threat, we assess with high confidence that this list is incomplete and other devices could be affected. (emphasis added)
LINKSYS DEVICES:
E1200
E2500
WRVS4400N
MIKROTIK ROUTERS VERSIONS FOR CLOUD CORE ROUTERS:
1016
1036
1072
NETGEAR DEVICES:
DGN2200
R6400
R7000
R8000
WNR1000
WNR2000
QNAP DEVICES:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software
TP-LINK DEVICES:
R600VPN
Reference: https://blog.talosintelligence.com/2018/05/VPNFilter.html
Warning: This article is HIGHLY technical. The link is listed for reference/credit.
I have found no indication on how long we should wait for Stage 1 to execute and give the FBI the needed/desired data before we can then completely clean VPNFilter off of our routers by performing a factory reset.
So, what should you do?
1. Knights’ Quest recommends rebooting (cycling the power for) both your Internet gateway and your router. While gateways, which integrate a router with your Internet modem, have not yet been identified as vulnerable to this malware, it’s wise to go ahead and reboot the gateway while you are at it! In order to minimize issues I recommend this sequence:
A. Power down your computers.
B. Pull the power cords completely out of the router (and hold on to them so they don’t fall behind the desk, etc.)
C. Wait 30 seconds.
D. Plug power back into the gateway.
E. Wait 30 seconds and plug power back into the route.r
F. Wait 30 seconds and turn your computer back on.
This way the FBI will get its info. Even if your router isn’t on the list of vulnerable systems it never hurts to reboot your network every now and then.
2. About 24-hours later update your firmware per the manufacturer’s instructions. Here is a link to TOM’S HARDWARE‘s excellent article on this process, including links to manufacturers: HOW TO UPDATE YOUR ROUTER’S FIRMWARE
3. Now, perform a “factory reset” by using the end of a paperclip to press and hold down the reset button on the back of your router. You should hold it for at least 10 seconds. (If you can’t find it, Google the following: “manufacturer’s name” + router + reset.) Then reconfigure your router as if it were new. (It be helpful to locate your router’s SET-UP GUIDE, either hardcopy or online.) Locate your Router’s default admin password. This is the password that allows you to get into the web interface of the router. It may either be one of the old industry standards (User = “admin”; Password = “admin”, “password”, or is left blank) or it may be a more complicated set of credentials located on a sticker on the router. This information can be found in the manual, either hardcopy or online. NOTE: It is not your WIFI key.
4. Consider what, if any, changes you want to make to your network such as: Changing the network names (SSIDs), changing the WIFI key, etc. The good news is that, if you use the same WIFI key and SSID, all of your computers and devices will reconnect just fine and you won’t have to reset everything. Once you have it all set up, change the Admin password for your router to a new, STRONGER password.
5. If you are using OpenDNS or any other router-based web filtering system you will need to reconfigure those settings once you perform the factory reset. If your router uses a program or app, such as Netgear’s GENIE program, make sure you have reset the parental controls.
6. If you are not comfortable doing these tasks is might be worthwhile having a friend or local tech help out. Don’t ask your children if you are going to have parental controls set up.
I hope this has been helpful for you! I will update this article as warranted!
UPDATE 6/4/18:
Some have reported that a firmware update negates the need for a factory reset. Given that updates may be a partial or full replacement of files in the firmware I would recommend performing the factory reset anyway.
Read these other articles to learn more about creating THE TECH-SAFE HOME!
- HELP! I Think A Predator Is After My Kid!!!!
- Filter Your Home Network…for FREE!!!
- When Children Play With (Electronic) Fire….
- TUMBLR: What Parents Need To Know
- iPhone Text Messaging: What Parents Need To Know
- Locking Down Your Child’s iPhone or iPod – Part I (iOS 10.3) (Video)
- NETFLIX Parental Controls (Video)
Stay up-to-date through our social media feeds by clicking on the badges below!
 |
 |
 |
Contact Knights’ Quest to arrange to host one or more of our TECH-SAFE or PURE 21 Seminars!
 |
 |
 |
| Book a TECH-SAFE HOME™ Seminar at your church! Contact us at: info@knightsquest.org or 817.715.4074 |
THE TECH-SAFE MAN Seminar!
Learn to turn temptation into VICTORY! |
Staying pure until marriage is difficult these days, made more so by all of our tech devices. TECH-SAFE YOUTH addresses both purity and tech issues |
Subscribe to Blogging The Knights’ Quest via:
.
Need articles for your newsletter?
Contact us for permission to reprint our articles!
It’s FREE for Churches and non-profits!
NOTICE:
All communications with Knights’ Quest are held
in strictest confidence, within the limits of the Law.
Leave a Reply