
VPNFilter malware infecting 500K devices is worse than was thought - joewee
https://arstechnica.com/information-technology/2018/06/vpnfilter-malware-infecting-50000-devices-is-worse-than-we-thought/#p3
======
Scoundreller
> To accommodate for this limitation, stage 1 relies on a sophisticated
> mechanism to locate servers where stage 2 and stage 3 payloads were
> available. The primary method involved downloading images stored on
> Photobucket.com and extracting an IP address from six integer values used
> for GPS latitude and longitude stored in the EXIF field of the image. When
> Photobucket removed those images, VPNFilter used a backup method that relied
> on a server located at ToKnowAll.com.

That sounds as sophisticated as a drug dealer calling their pills “beans” or
“almonds”. Like, it’s intelligent, but it’s just 1 step removed from just
coding in the IP directly.

~~~
ggm
In this space (journalism) any previously unknown (by the journalist) method
of obfuscation is, almost by definition "sophisticated"

Personally, I'd have said "clever" and "probably indicative of a trend, which
is going to continue" and "don't assume wiping EXIF headers stops this,
because a bunch of meta data is out there in ways you don't yet understand"

hiding things in meta data, is why IP over ICMP works.

------
Scoundreller
In the paytv hacking world, users would install a switch on the EEPROM’s
WriteEnable line.

That way, destructive updates could be blocked for as long as possible. Or
save you from having to re-flash your receiver through desoldering a TSOP.

Perhaps we need the same thing on routers.

Or a group to run a “honeypot” of routers with a sensor on this EEPROM pin to
identify when unauthorized updates have been installed and need investigation.

This won’t work for non-persistent hacks. But for anything that wants to last
longer than a reboot...

~~~
oakwhiz
A switch wouldn't work on a serial EEPROM or serial Flash chip, you'd need a
microcontroller-in-the-middle that proxies or virtualizes the EEPROM and
ignores writes. This sort of thing would also break partitioned storage, where
persistent state and the system image are located on different partitions
within the same Flash chip.

~~~
Scoundreller
I do recall 24 series 8-pin serial EEPROMs having a write enable line as well
that could be locked via a switch.

Looking quickly on a random manuacturer’s 93 series, I don’t see such a line,
BUT, programming operations are blocked when the voltage is below a certain
level. A couple diodes on the Voltage line could be put in séries (via switch)
to prevent writes unless desired.

Of course, if writes are required at some level for normal operation, your
chip firewall strategy works much better.

The paytv providers actually implemented a flash writeability check (without
trIggerinf a write) upon bootup. One of my ideas was to emulate the 24-series
eeprom entirely. For the bigger “TSOP” chips, someone devised a high-speed
logic gate that was fast enough to allow the check to pass, but still prevent
actual writes.

~~~
Scoundreller
And oh ya, a JTAG interface could provide interesting real-time analysis of
what’s going on.

------
burritoaddict
The most concerning aspect of this is the lack of details surrounding the
initial attack vector and the fact that the IoC list is effectively useless to
anyone downstream of these devices which sit at the perimeter of your network.

Anyone else having fun with the minor panic attacks incited by slow page-
loads?

~~~
Scoundreller
My speculation is that the attack vector was only in stream for a short period
of time...

So unless you were capturing incoming packets at that time, we may not know.

------
srcmap
In this URL,
[https://blog.talosintelligence.com/2018/05/VPNFilter.html?m=...](https://blog.talosintelligence.com/2018/05/VPNFilter.html?m=1)

it mentions snort rules for detection and protection for VPNFilter and ClamAV
Signatures.

But it didn't explain how to use them.

The way I understand SNORT after googling it, I need to able captures the
traffic (wan port) and feed that to SNORT for analysis, is that correct?

Also for ClamAV, do I need to clone/mount the rootfs from the wifi router to
Linux and use ClamAV to scan that rootfs for those signatures?

The URL mentions the infested device have /var/run/vpnfilterm,
/var/run/vpnfilterw. I checked they are not in my wifi router's fs.

The URL also mentions it modified/insert entry the crontab, but I can't find
what exe name, possible file locations I should search in my router. Do anyone
else know such info?

------
joewee
The details on this are very vague. No one knows or is sharing the initial
attack vector. It could be a browser spear phishing attack that then attempts
to use known default passwords for these routers and uploads a custom firmware
image or backdoor script. The only thing that I don't get is why rebooting
resolves the issue. This can't be accurate, if the compromise was via a user,
its only a temporary resolution, and if the backdoor is as sophisticated as
they say, it should definitely have persistence that last beyond reboot.

~~~
eightysixfour
Rebooting removes later stages, the first stage is persistent but one of the
AV companies took down the domain that the later stages are retrieved from,
effectively cutting it off from those stages.

~~~
joewee
Thanks for the clarification!

------
cmurf
How about routers (and IoT devices for that matter) that have a ROM image,
with a user intitiated ability to actually obliterate the entire contents of
NVRAM and flash? i.e. the firmware (which is made up of various parts,
multiple stage bootloader, kernel, initrd, root, NVRAM, maybe proprietary
radio firmware and/or baseband files) would be wiped out. The ROM would have a
very limited ability to "phone home" only via wired connection, and get an
updated firmware payload.

Obviously the idea is to make sure the image in ROM is simple enough that it's
really damn unlikely that it can be attacked, or attacked before the correct
and intended firmware is downloaded and installed.

~~~
teilo
Sorry to sound like a broken record on this post, but Mikrotik does this.
Everything can be flashed. Bootloader and OS. You can even get into a bricked
unit via MAC address and their Netinstall utility, and wipe the whole thing
with a clean image.

------
lubujackson
Dumb question about this malware... with so many infected routers, why was
this not noticed sooner? Just monitoring incoming/outgoing data should reveal
that the routers are "calling home" at some point, yes?

~~~
joewee
No one was looking? It looks like the deployment was fairly sophisticated,
these typically use things like twitter, instagram to send commands to
compromised devices. These tend to only be discovered when they are used to
attack a target or when someone happens upon a C&C machine.

------
stealthmodeclan
Any startup writing router firmware in Rust?

~~~
zxcvhjkl
ARM/MIPS are Tier 2 platforms for Rust: [https://forge.rust-lang.org/platform-
support.html](https://forge.rust-lang.org/platform-support.html)

------
oprah2018
Any suggestions for a good router that is immune from this nonsense?

~~~
Scoundreller
As in another post, I’d suggest buying any router, taking it apart,
identifying the flash chip, find the write-enable line in the data-sheet and
MITM that line with a flip switch to block updates at all times.

~~~
rorosaurus
That's actually a really good idea! I would love to see this built-in to
future router models after something widespread like this. It's fairly
reasonable to force users to be physically present to update. Plus, you could
force them to flip the switch back by not working until the write-enable line
is disconnected again.

~~~
Johnny555
It could have the unintended side effect of making people even _less_ likely
to upgrade firmware.

------
Scoundreller
Can we assume that dd-wrt and tomato are safe(r) from this?

~~~
q3k
I wouldn't trust DD-WRT with security further than I can throw it [1] [2].
Please migrate to OpenWRT or something else that's modern and maintained by
more than one person.

[1] [https://github.com/mirror/dd-
wrt/blob/master/src/router/http...](https://github.com/mirror/dd-
wrt/blob/master/src/router/httpd/httpd.c)

[2] [https://github.com/mirror/dd-
wrt/blob/master/src/router/http...](https://github.com/mirror/dd-
wrt/blob/master/src/router/httpd/modules/base.c)

~~~
Scoundreller
Noted. Weekend project!!!

You just reminded me that some of the more obscure dd-wrt bins (for not so
popular routers) and might be dangerous stuff.

~~~
q3k
Fuzzing it should be cool and fruitful. Have fun :).

