VPNFilter - causes and methods of removing the virus

The new malware, known as MicroTic VPNFilter, recently identified by the Cisco Talos Intelligence Group, has already infected more than 500, 000 routers and network storage devices (NAS), many of which are at the disposal of small businesses and offices. What makes this virus especially dangerous is that it has a so-called “permanent” ability to do harm, which means that it will not disappear just because the router will be rebooted.

How to remove virus software - VPNFilter.

What is VPNFilter

According to Symantec, "data from the lures and sensors of Symantec show that, unlike other IoT threats, the VPNFilter virus does not seem to scan and tries to infect all vulnerable devices around the world." This means that there is a certain strategy and goal of infection. As potential targets, Symantec has identified devices from Linksys, MikroTik, Netgear, TP-Link and QNAP.

So how are the devices infected? These are flaws in software or hardware that create a kind of backdoor through which an attacker can disrupt the operation of the device. Hackers use standard default names and passwords to infect devices or gain access through known vulnerabilities that should have been fixed with regular software updates or firmware. This is the same mechanism that led to massive violations from Equifax last year, and this is probably the biggest source of cyber vulnerability!

It is also unclear who these hackers are and what their intentions are. There is an assumption that a large-scale attack is planned that will make infected devices useless. The threat is so extensive that the Ministry of Justice and the FBI recently announced that the court ruled to confiscate devices suspected of breaking. The decision of the court will help identify the victim device, violate the ability of hackers to steal personal and other confidential information and carry out subversive cyber attacks of the VPNFilter Trojan.

How the virus works

VPNFIlter uses a very sophisticated two-step method of infection, the purpose of which is your computer, to become a victim of intelligence gathering and even a description operation. The first stage of the virus involves rebooting your router or hub. Since VPNFilter malware is aimed primarily at routers, as well as other devices connected to the Internet, as well as Mirai malware, this can happen as a result of an automatic botnet attack that is not implemented as a result of the successful compromise of central servers. Infection occurs through an exploit that causes a smart device to reboot. The main objective of this stage is to get a partial control and enable the deployment of stage 2 after the restart process is completed. Phase 1 phases are as follows:

  1. Uploads a photo from Photobucket.
  2. Exploits are launched, and metadata are used to call IP addresses.
  3. The virus connects to the server and downloads a malicious program, after which it automatically executes it.

As the researchers report, as separate URLs with the first stage of infection, there are libraries of fake photo-object users:

  • com / user / nikkireed11 / library
  • com / user / kmila302 / library
  • com / user / lisabraun87 / library
  • com / user / eva_green1 / library
  • com / user / monicabelci4 / library
  • com / user / katyperry45 / library
  • com / user / saragray1 / library
  • com / user / millerfred / library
  • com / user / jeniferaniston1 / library
  • com / user / amandaseyfried1 / library
  • com / user / suwe8 / library
  • com / user / bob7301 / library

As soon as the second stage of infection starts, the actual capabilities of the VPNFilter malware become more extensive. These include the use of the virus in the following actions:

  • Connects to a C & C server.
  • Performs Tor, PS and other plugins.
  • Performs malicious actions that include data collection, command execution, file theft, device management.
  • Able to carry out self-destruction activities.

Associated with the second stage of IP address infection:

  • 121.109.209
  • 12.202.40
  • 242.222.68
  • 118.242.124
  • 151.209.33
  • 79.179.14
  • 214.203.144
  • 211.198.231
  • 154.180.60
  • 149.250.54
  • 200.13.76
  • 185.80.82
  • 210.180.229

In addition to these two phases, cybersecurity researchers at Cisco Talos also reported on a phase 3 server, the purpose of which is still unknown.

Vulnerable routers

Not every router can suffer from VPNFilter. Symantec describes in detail which routers are vulnerable. Today, VPNFilter can infect Linksys, MikroTik, Netgear, and TP-Link routers, as well as QNAP network-attached (NAS) devices. These include:

  • Linksys e1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik Router (for routers with cloud core versions 1016, 1036 and 1072)
  • Netgear DGN2200
  • Netgear r6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices with QTS software
  • TP-Link R600VPN

If you have any of the above devices, check your manufacturer’s support page for updates and tips on removing VPNFilter. Most manufacturers already have a firmware update that should completely protect you from the VPNFilter attack vectors.

How to determine that the router is infected

It is impossible to determine the degree of infection of the router even with the help of Kaspersky Anti-Virus. IT specialists of all leading world companies have not yet solved this problem. The only recommendations that they can offer so far are to reset the device to the factory settings.

Will rebooting the router help get rid of VPNFilter infection

Restarting the router will help prevent the development of the virus in only the first two stages. It still has traces of malware, which will gradually infect the router. Solve the problem will help reset the device to the factory settings.

How to remove VPNFilter and protect your router or NAS

In accordance with the recommendations of Symantec, you need to restart the device, and then immediately apply any action necessary for updating and flashing. It sounds easy, but, again, the lack of constant software and firmware updates is the most common cause of cyber attacks. Netgear also advises users of their devices to disable any remote control features. Linksys recommends restarting its devices at least once every few days.

Simple cleaning and resetting your router does not always completely eliminate the problem, since malware can pose a complex threat that can deeply affect the firmware objects of your router. That is why the first step is to check whether your network has been exposed to this malware. Cisco researchers strongly recommend this by completing the following steps:

  1. Create a new group of hosts with the name “VPNFilter C2” and make it located under external hosts through the Java UI.
  2. After that, confirm that the group is exchanging data by checking the “contacts” of the group itself on your device.
  3. If there is no active traffic, the researchers advise network administrators to create a type of disconnect signal, which by creating an event and selecting a host in the web-based user interface notifies as soon as traffic occurs in a group of hosts.

Right now you must reboot the router. To do this, simply disconnect it from the power supply for 30 seconds, then plug it back in.

The next step is to reset your router. Information on how to do this can be found in the manual in the box or on the manufacturer's website. When you reload your router, you need to make sure its firmware version is the latest. Again, refer to the documentation that came with your router to find out how to update it.

IMPORTANT. Never use the default username and password for administration. All routers of the same model will use this name and password, which makes it easy to change settings or install malware.

Never use the Internet without a strong firewall. At risk are FTP servers, NAS servers, Plex servers. Never leave remote administration enabled. This can be convenient if you are often far away from your network, but this is a potential vulnerability that every hacker can exploit. Always be up to date. This means that you should regularly check the new firmware and reinstall it as updates are released.

Do I need to reset the settings of the router if my device is not in the list

The database of routers in the risk group is updated daily, so resetting the router must be performed regularly. As well as check for firmware updates on the manufacturer’s website and follow his blog or posts in social networks.