VPNFilter Malware

[Jerry12]

No news. See Cisco Talos for info, e.g. "device destruction module" for files and processes that suggest a compromised device, for some models.

It's an ongoing exploit, not a single malware program or a specific bug. We don't know what security holes have been or will be exploited.

We don't know how to secure routers from this firmware, how to clean the malware off routers, nor whether that would even help.

See https://routersecurity.org/index.php about router security, configuration for security, and a business class device that might be more secure.

 

[Alessio]

Hello Jerry12 thanks for your reply, I also found this online tool that checks if the router has been compromised by a specific component used by VPNFilter, known as the the ssler plugin.
http://www.symantec.com/filtercheck/

I`m very disappointed with Asus, the RT-AC66U is still on the market and Asus does not release an update for this bug....

 

[ColinTaylor]

I`m very disappointed with Asus, the RT-AC66U is still on the market and Asus does not release an update for this bug....

That might be because the current firmware isn't vulnerable to it; all the reported infections are on old models (presumably running old firmware). But at the moment that's just speculation because nobody has said how this infection has happened.

 

[sfx2000]

Latest from TrendMicro (7/13) - keep in mind this is a blended threat for many.

https://blog.trendmicro.com/trendla...evices-still-riddled-with-19-vulnerabilities/

Have fun!

 

[ColinTaylor]

Latest from TrendMicro (7/13) - keep in mind this is a blended threat for many.

https://blog.trendmicro.com/trendla...evices-still-riddled-with-19-vulnerabilities/

Interesting... I'm not too sure what to make of this. The majority of the article (and link pages) doesn't present anything that we didn't already know (from an Asus perspective).

The only part that is new is Table 2 (19 vulnerability detections on VPNFilter-affected devices) and this phrase "19 known vulnerabilities, not only taken advantage of by VPNFilter but other malware as well".

Without further explanation they appear to have looked at the routers that have been infected with VPNFilter, then scanned said routers for known exploits, and concluded that the infection must have been from these exploits. That's a big assumption and smacks of correlation rather than causation. Especially when they're citing CVE-2017-8877 which AFAIK isn't exploitable.

 

[RMerlin]

That's a big assumption and smacks of correlation rather than causation. Especially when they're citing CVE-2017-8877 which AFAIK isn't exploitable.

This is just marketing stuff. See this key phrase that struck me:

IoT Smart Checker can identify other publicly known vulnerabilities targeting the devices as listed below:

So basically, this is marketing for their IoT Smart Checker to identify OTHER publicly known vulnerabilities... They're not saying these vulnerabilities were targeted by VPNFilter. As you noted, that particular CVE for instance is an information leak, and is in no way exploitable at a software level.

 

[ColinTaylor]

This is just marketing stuff.

Thanks Merlin. That was my initial take on it as well. The only reason I thought there might be more to it was the phrase "taken advantage of by VPNFilter" which implies that they know how VPNFilter compromises routers. They appear to be stretching the truth there.

 

[gweilo8888]

I’m assuming you’re talking about John’s fork. You could have it installed in about the same time you typed up this comment. Reading the first post for that fork would give you an idea what it does and does not include. Yea, there are easier choices than “throw my router away”.

Yes, I could have it installed in the time it took to type the comment. I couldn't, however, answer any of my questions in remotely as little time. I know that, because I already attempted to do so. A brief list of bullet points in a forum post doesn't tell me which of the lesser-used features I might personally rely upon might no longer be available or work for my usage. Which is why I took the time to make a perfectly valid post making a perfectly reasonable query.

Next time, instead of wasting time acting high and mighty, could you maybe try reading and comprehending the question you're answering? Or alternatively, not wasting our time with your smug superiority?