'VPNFilter malware focuses on more routers and injects code into web traffic'
The VPNFilter malware, of which a command and control server was recently taken over by the FBI, now appears to target more router types. In addition, the malware has new functions, such as the injection of malicious code into network traffic.
Cisco Talos, the security company that VPNFilter noticed in writes in a new analysis that the new has discovered modules that can use the malware. The malicious software already appeared to consist of three modules or stages, of which only the first one can endure a reboot of an infected device. The second module has possibilities such as collecting information and executing commands. The third modules must be seen as a kind of plug-ins for the second module. The new modules are about these types of plug-ins. For example, a so-called ‘ssler’ module is capable of injecting javascript into network traffic, while a ‘dstr’ module can make an infected device unusable.
The ssler module intercepts http traffic to port 80 via a man- in-the-middle position and can inject code in this way. In this way, those behind the malware can, for example, execute exploits on connected devices, according to the Talos researchers. But stealing information would also be possible. The module attempts to redirect https traffic to http, replacing this prefix with ‘http: //’. The researchers say nothing about the effectiveness of this approach. The dstr module, on the other hand, is intended to make an infected device unusable by removing files that are necessary for normal use. The module then removes itself.
Moreover, VPNFilter is now targeting more devices and new manufacturers, including Asus, D-Link, Huawei and ZTE. These are shown below in a table. Ars Technica spoke with one of the Talos researchers, Craig Williams. He explains that although the FBI was able to take over a command and control server from the persons behind the malware it is still possible to communicate with possibly hundreds of thousands of infected devices. The first module of the malware uses exif data from Photobucket images in the first instance to determine the location of the second and third modules. If that does not work, he uses the c2 server. However, there is also a third way to install those modules by using special trigger packets .
Williams believes that the FBI has misled users by giving the impression that a restart of the router is enough to get rid of the malware. Talos, like the Ukrainian SBU, expressed the suspicion that the malware comes from Russia. It is difficult to find out whether a device is actually infected with the malware, says Ars Technica. Removing it is also cumbersome. For some models, for example, it is necessary to reset the device to the factory settings or to install the latest firmware from the manufacturer after a restart. In the case of older devices it would be better to purchase a new model.
The ssler module intercepts http traffic to port 80 via a man- in-the-middle position and can inject code in this way. In this way, those behind the malware can, for example, execute exploits on connected devices, according to the Talos researchers. But stealing information would also be possible. The module attempts to redirect https traffic to http, replacing this prefix with ‘http: //’. The researchers say nothing about the effectiveness of this approach. The dstr module, on the other hand, is intended to make an infected device unusable by removing files that are necessary for normal use. The module then removes itself.
Moreover, VPNFilter is now targeting more devices and new manufacturers, including Asus, D-Link, Huawei and ZTE. These are shown below in a table. Ars Technica spoke with one of the Talos researchers, Craig Williams. He explains that although the FBI was able to take over a command and control server from the persons behind the malware it is still possible to communicate with possibly hundreds of thousands of infected devices. The first module of the malware uses exif data from Photobucket images in the first instance to determine the location of the second and third modules. If that does not work, he uses the c2 server. However, there is also a third way to install those modules by using special trigger packets .
Williams believes that the FBI has misled users by giving the impression that a restart of the router is enough to get rid of the malware. Talos, like the Ukrainian SBU, expressed the suspicion that the malware comes from Russia. It is difficult to find out whether a device is actually infected with the malware, says Ars Technica. Removing it is also cumbersome. For some models, for example, it is necessary to reset the device to the factory settings or to install the latest firmware from the manufacturer after a restart. In the case of older devices it would be better to purchase a new model.
| Linksys | Mikrotik | Netgear | Qnap | TP-Link | Asus | D-Link | Huawei | Ubiquity | ZTE | |||||||||
| E1200 | CCR1016 | DGN2200 | TS251 | R600VPN | RT-AC66U | DES-1210-08P | HG8245 | NSM2 | ZXHN H108N | |||||||||
| E2500 | CCR1036 | R6400 | ] TS439 Pro | TL-WR741ND | RT-N10 | DIR-300 | PBE M5 | |||||||||||
| WRVS4400N | CCR1072 | R7000 | TL-WR841N | RT-N10E | DIR-300A | |||||||||||||
| E3000 | CCR1009 | R8000 | RT-N10U | D SR-250N | ||||||||||||||
| E3200 | CRS109 | WNR1000 | RT-N56U | ] DSR-500N | ||||||||||||||
| E4200 | CRS112 | WNR2000 | RT-N66U [19659007] DSR-1000 | |||||||||||||||
| RV082 | CRS125 | DG834 | DSR-1000N | |||||||||||||||
| RB411 | DGN1000 | |||||||||||||||||
| RB450 | DGN3500 | |||||||||||||||||
| RB750 | FVS318N | |||||||||||||||||
| RB911 | MBRN3000 | |||||||||||||||||
| RB921 | WNR2200 | |||||||||||||||||
| RB941 | WNR4000 | |||||||||||||||||
| RB951 | WNDR3700 | |||||||||||||||||
| RB952 | WNDR4000 | |||||||||||||||||
| RB960 | WNDR4300 | |||||||||||||||||
| RB962 | WNDR4300-TN | |||||||||||||||||
| RB1100 | UTM50 | |||||||||||||||||
| RB1200 | [19659007] | |||||||||||||||||
| RB2011 | ||||||||||||||||||
| [19659007] RB3011 | ||||||||||||||||||
| RB Groove | [19659007] | [19659007] | ||||||||||||||||
| RB Omnitik | [19659026] | STX5 |
Bold = new, data from Cisco Talos. Devices from Upvel have also been affected, but it is unclear which models are involved.