FBI Knocks Out VPNFilter Malware That Infected 500K Routers

It's been a busy few days for a sophisticated piece of botnet malware dubbed VPNFilter.

First, the Secret Service of Ukraine issued a warning about a botnet that had taken over 500,000 routers and Network Attached Storage (NAS) devices, infecting them with some of the most sophisticated malware ever seen used in a botnet.

Then, Cisco Talos and Symantecissued a descriptive warning about the situation and the malware which two firms called VPNFilter. The botnet was seen growing, and exhibited curious behavior in that it seemed to be seeking Ukrainian hosts -- even though Talos found that it spread to 54 countries.

Finally, in a surprise move late May 23, journalist Kevin Paulson tweeted that the FBI had seized control of the ability of the malware to regenerate itself after a reboot was performed on the host. The feds were able to do this when a court gave it control of one of the domains that was used as an hard-coded emergency backup control server by the malware.

A diagram of the VPNFilter botnet malware in action
\r\n(Source: Cisco Talos)\r\n

This allowed them to stop the Stage 2 and Stage 3 downloads from staring.

VPNFilter is a three-stage attack that allows persistence of infection by a first stage that reloads the malware after a reboot which normally will erase the malware. This is an extremely sophisticated technique that has only been seen once before in botnet malware.

The second stage has the main payload. This allows for file collection, command execution, data exfiltration, and device management. Worryingly, there is a destructive capability that can effectively "brick" the device if it receives a command from the attackers. It does this by overwriting a section of the device's firmware and then rebooting, which makes it unusable.

Stage 3 consists of plugins that work with the second stage.

There is another seemingly unique capability -- a packet sniffer for spying on traffic that is routed through the device. The sniffer can carry out the theft of website credentials, as well as the monitoring of Modbus SCADA protocols. There may be other modules for Stage 3 that have haven't been seen yet.

That Supervisory Control and Data Acquisition (SCADA) monitoring is the giveaway as to what this malware is all about. These modules are the gateways to the infrastructure of a country. The ability to cause these gateways to fail without recovery -- not to mention the routers the malware is hosted on -- would be devastating.

The sophistication and targeting of the malware makes it all but inevitable that a nation-state has created it. The recent Ukranian targeting, as well as the setup of a C&C server just for Ukranian sites, makes it probable that Russia is the originator. This follows previous attempts Russia made against Ukraine's infrastructure, according to the US Department of Homeland Security.

If a user finds the malware, Cisco found that rebooting will wipe Stage 2 and 3 but not Stage 1. Stage 1 can then reload Stages 2 and 3.

Stage 1 removal may require a hardware reset on the device which can also remove any stored configuration settings.

However, with the FBI taking control of the Stage 1 reload process, the back of the botnet has been broken. The threat to the Ukrainian infrastructure has been reduced greatly, unless Russia gets a second version out the door in short order. Even with the interdiction by the FBI, users need to remove all traces of the malware to be reasonably assured of safety from the current threat.

Symantec found the malware on the following devices:

Netgear is also advising customers that -- in addition to applying the latest firmware updates and the always useful changing of default passwords -- they should ensure that remote management is turned off on their router. Remote management should be turned off by default and can only be turned on using the router's advanced settings.

This is state cyberwar, brought to the user level. Even though this particular skirmish seems to have been won by the "GoodGuys," simply having a commodity device like a router can make one a participant in it. Perhaps this will make those who think security is for someone else realize that if you aren't part of the solution -- you are definitely part of the problem.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.