‘VPNFilter malware targets more routers and injects code into web traffic’
The VPNFilter malware, of which a command and control server was recently taken over by the FBI, now appears to target more router types. In addition, the malware has new features such as injecting malicious code into network traffic.
Cisco Talos, the security company that VPNFilter noticed in May, writes in a new analysis that it has discovered new modules that can deploy the malware. The malicious software was previously found to consist of three modules or stages, of which only the first can survive a reboot of an infected device. The second module has capabilities such as collecting information and executing commands. The modules of the third stage should be seen as a kind of plug-ins for the second module. The new modules are plug-ins of this kind. For example, a so-called ssler module is able to inject JavaScript into network traffic, while a ‘dstr’ module can render an infected device useless.
The ssler module intercepts http traffic to port 80 through a man-in-the-middle position and can inject code that way. That way, those behind the malware can, for example, perform exploits on connected devices, the Talos researchers said. But stealing information would also be possible. The module attempts to redirect https traffic to http by replacing this prefix with “http://”. The researchers say nothing about the effectiveness of this approach. The dstr module, on the other hand, aims to render an infected device useless by deleting files necessary for normal use. After that, the module removes itself.
Image of Talos
In addition, VPNFilter is now targeting more devices and new manufacturers, including Asus, D-Link, Huawei, and ZTE. These are shown in a table below. Ars Technica spoke with one of the Talos researchers, Craig Williams. He explains that while the FBI was able to take over a command and control server from the individuals behind the malware, it is still possible to communicate with potentially hundreds of thousands of infected devices. The malware’s first module initially uses exif data from Photobucket images to determine the location of the second and third modules. If that doesn’t work, he’s using the c2 server. However, there is also a third way to install those modules, by using special trigger packets.
Williams believes that the FBI has misled users by giving the impression that a reboot of the router is enough to get rid of the malware. Talos, like the Ukrainian SBU, expressed the suspicion that the malware came from Russia. It’s hard to tell if a device is actually infected with the malware, Ars Technica said. Removing them is also cumbersome. For example, for some models it is necessary to reset the device to the factory settings, or to install the latest firmware from the manufacturer after a reboot. In the case of older devices, it would be better to purchase a new model.
| Linksys | Mikrotik | netgear | Qnap | TP-Link | Asus | D-Link | Huawei | ubiquity | ZTE |
| E1200 | CCR1016 | DGN2200 | TS251 | R600VPN | RT-AC66U | DES-1210-08P | HG8245 | NSM2 | ZXHN H108N |
| E2500 | CCR1036 | R6400 | TS439 Pro | TL-WR741ND | RT-N10 | DIR-300 | PBE M5 | ||
| WRVS4400N | CCR1072 | R7000 | TL-WR841N | RT-N10E | DIR-300A | ||||
| E3000 | CCR1009 | R8000 | RT-N10U | DSR-250N | |||||
| E3200 | CRS109 | WNR1000 | RT-N56U | DSR-500N | |||||
| E4200 | CRS112 | WNR2000 | RT-N66U | DSR-1000 | |||||
| RV082 | CRS125 | DG834 | DSR-1000N | ||||||
| RB411 | DGN1000 | ||||||||
| RB450 | DGN3500 | ||||||||
| RB750 | FVS318N | ||||||||
| RB911 | MBRN3000 | ||||||||
| RB921 | WNR2200 | ||||||||
| RB941 | WNR4000 | ||||||||
| RB951 | WNDR3700 | ||||||||
| RB952 | WNDR4000 | ||||||||
| RB960 | WNDR4300 | ||||||||
| RB962 | WNDR4300-TN | ||||||||
| RB1100 | UTM50 | ||||||||
| RB1200 | |||||||||
| RB2011 | |||||||||
| RB3011 | |||||||||
| RB Groove | |||||||||
| RB Omnitik | |||||||||
| STX5 |
Bold = new, data sourced from Cisco Talos. Upvel devices have also been affected, but it is unclear which models are affected.