According to the FBI and CISCO Talos Group, the malware affects certain routers in stages.
This software installs itself in multiple stages:
- Stage 1 involves a worm which adds code to the device’s crontab (the list of tasks run at regular intervals by the cron scheduler on Linux). This allows it to remain on the device after a reboot, and to re-infect it with the subsequent stages if they are removed. Stage 1 uses known URLs to find and install Stage 2 malware. If those known URLs are disabled, Stage 1 sets up a socket listener on the device and waits to be contacted by command and control systems.
- Stage 2 is the body of the malware, including the basic code that carries out all normal functions and executes any instructions requested by special, optional Stage 3 modules.
- Stage 3 can be any of various “modules” that tell the malware to do specific things, like spying on industrial control devices (Modbus SCADA) or using anonymity network Tor protocol to communicate over encrypted traffic channels.
My issue was that the FBI sank those sites that the WORM relied on, so the signal kept sending requests to download to them with no answer. This eventually made my network useless on the 2.4GHz radio band.
Normally a router factory reset would get rid of Stage 2 and Stage 3, however, since it initially embeds itself into the firmware on Stage 1, there is no way to fully get rid of it. From my own experience, the VPNFilter WORM will attach itself to the crontrab (the router’s listen socket on/off schedular) and randomly set a scheduled listening time each time you do a factory reset.
Below is the Wikipedia article and a list of devicese affected by a vulnerability that allows the VPNFilter WORM to install itself.
Mikrotik RouterOS versions up to 6.38.5 on current or 6.37.5 on bug-fix release chains.
Other QNAP NAS devices running QTS software
Unknown Models [nb 1]
VPNFilter is described by Cisco Talos as having infected as many as 500,000 devices worldwide, in perhaps 54 different countries, though proportionately the focus has been on Ukraine.
That being said, I strongly urge that people upgrade to a new device, or replace their current router, with one that is not listed above.]]>