FBI Tells Router Users To Reboot Now To Kill Malware Infecting 500,000 Devices

The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware that has infected hundreds of thousands devices. Ars Technica reports: Researchers from Cisco's Talos security team first disclosed the existence of the malware on Wednesday. The detailed report said the malware infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP, and TP-Link. Known as VPNFilter, the malware allowed attackers to collect communications, launch attacks on others, and permanently destroy the devices with a single command. The report said the malware was developed by hackers working for an advanced nation, possibly Russia, and advised users of affected router models to perform a factory reset, or at a minimum to reboot. Later in the day, The Daily Beast reported that VPNFilter was indeed developed by a Russian hacking group, one known by a variety of names, including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also said the FBI had seized an Internet domain VPNFilter used as a backup means to deliver later stages of the malware to devices that were already infected with the initial stage 1. The seizure meant that the primary and secondary means to deliver stages 2 and 3 had been dismantled, leaving only a third fallback, which relied on attackers sending special packets to each infected device.

The redundant mechanisms for delivering the later stages address a fundamental shortcoming in VPNFilter -- stages 2 and 3 can't survive a reboot, meaning they are wiped clean as soon as a device is restarted. Instead, only stage 1 remains. Presumably, once an infected device reboots, stage 1 will cause it to reach out to the recently seized ToKnowAll.com address. The FBI's advice to reboot small office and home office routers and NAS devices capitalizes on this limitation. In a statement published Friday, FBI officials suggested that users of all consumer-grade routers, not just those known to be vulnerable to VPNFilter, protect themselves. The Justice Department and U.S. Department of Homeland Security have also issued statements advising users to reboot their routers as soon as possible.

reboot... and reflash with something like cur lede

[mtaht]

If only a reboot solved all problems! Can't they also suggest reflashing with something immune to this malware like any of the third party router firmwares? On my bad days, watching over the cyberwarfare, and now that the domain has been seized, I can imagine the FBI P0wning your router, rather than the original authors - because now they have the capability to do so. Reboot and reflash., damn it.

Re: reboot... and reflash with something like cur

[MathewKeith]

It's great to be capable huh?

Re:

[Archtech]

Hopefully one day you will learn to recognize irony. Appreciating it may remain beyond you.

Re:

[CaptainDork]

Reboot and reflash ...

I tested this statement on several of my followers who have questioned me regarding this matter.

You know what the reaction was.

Oblig. Admiral Ackbar...

[Mister Transistor]

... IT'S A TRAP!!!

Re:

[arglebargle_xiv]

I've been using Draytek gear for years now, its pricey but also pretty decent. Every time I see one of these sky-is-falling router warnings I have to wonder, is the fact that Draytek never feature in them because they're that good, or because no-one bothers checking Drayteks?

Re: reboot... and reflash with something like cur

[Anonymous Coward]

I'm not exactly up on all this Russia stuff but this article just screams, "Reboot your routers so our rootkit can finish installing". I doubt it has anything to do with Russia at all.

Update applied, reboot system to apply changes

[Excelcia]

The FBI is advising users of consumer-grade routers and network-attached storage devices to reboot them as soon as possible to counter Russian-engineered malware

Translation: We have just installed our backdoor into consumer-grade routers and network-attached storage devices, but to apply the changes the devices need to be rebooted. Since we won't have the ability to reboot them ourselves until after the change is fully applied, we need a convincing reason to ask the whole country to reboot their routers. Russian hackers should suffice.

Re: Update applied, reboot system to apply changes

[Anonymous Coward]

Nice theory. But pretty simple to reboot electronics.

Re:

[thegarbz]

As nice as it sounds the compatibility of third party routers is like Linux on mid 90s era laptops, and that's if your router isn't some integrated modem router combo.

Personally I've never owned a device compatible with any 3rd party firmware.

Re:

[pnutjam]

I own several and I've used dd-wrt, tomato, and merlin with no problems. Usually, in my experience, the hardware problems are there without the 3rd party firmware. They're just obfuscated so you can't figure out which part works and you just reboot the whole thing.

Re:

[AHuxley]

+1 AC. That will be all kept going for months as part of ongoing "investigations".
To see who logs in and attempts to alter the command and control software side.
Until then the feds will keep looking at the results in real time.

Nice.

[bobstreo]

Now, if they actually listed which router/NAS models and firmware versions were problematic. Or how to diagnose if you were impacted...

If you have remote management turned on for your router or NAS, you should always expect special surprises.

Re:

[Nutria]

Mikrotik patched this vulnerability (which is only a problem when remote management is enabled) 14 months ago.

Also, they continuously update their firmware, and that firmware is trivially easy to update.

Re:Nice.

[Anonymous Coward]

I was thinking the same thing, so I went digging in the old (you know, that musty two-day old) slashdot thread. It wasn't straightforward to find it in there but there was a good comment with it. https://blog.talosintelligence.com/2018/05/VPNFilter.html [talosintelligence.com]. You can CTRL + F to "Known Affected Devices" and it has them listed. The original comment for aficionados. [slashdot.org]

Re:

[bobstreo]

I was thinking the same thing, so I went digging in the old (you know, that musty two-day old) slashdot thread. It wasn't straightforward to find it in there but there was a good comment with it. https://blog.talosintelligence.com/2018/05/VPNFilter.html [talosintelligence.com]. You can CTRL + F to "Known Affected Devices" and it has them listed. The original comment for aficionados. [slashdot.org]

Thanks for that. Doing the work OP didn't bother to in the article

Re:

[Ol Olsoc]

Thanks for that. Doing the work OP didn't bother to in the article

I know this is Slashdot, and the style is to post based on the headline, but are y'all inconvenienced by making clicky clicky on the link?

What is posted here is a summary, just like it is supposed to summarize. The routers affected are listed in the link that the summary references.

Y'all can't be afraid to do the work you're supposed to do.

Also unknown affected devices

[raymorris]

The listed devices are KNOWN to be affected.
Others are also affected, but haven't been tested and proven vulnerable. A reboot is probably a good idea for any router - won't hurt anything.

Re: Nice.

[mapkinase]

They are saying with high confidence that the list is incomplete

Re:

[Rivu Biswas]

Nice one indeed. ACMarket [apkxios.com] AdAway [adaway.co] Test Dpc [test-dpc.com]

Meh.

[fluffernutter]

Meh, I've rebooted. what's the harm?

Re:

[Darinbob]

The default firmware probably reboots itself every week anyway.

my router is not on that list, but

[FudRucker]

it gets rebooted often because of frequent power outages caused by squirrels committing suicide on the power transformer out on the power pole or by the frequent thunderstorms blowing through the area this time of year, so my router has been rebooted about 3 or 4 times just this month

Re:

[antdude]

No UPS?:P

Re: my router is not on that list, but

[jabuzz]

If its thqt rural then use a mole plough. Its not 1000 times more expensive, and much better tha long outages.

Re:my router is not on that list, but

[fibonacci8]

No UPS?:P

Attaching a UPS to the squirrels is tempting, but I fail to see how it solves the original problem.

Re:

[antdude]

LOL! I meant to your electronics.

Re:

[Ol Olsoc]

Our UPS driver is a little squirrely.

Re:

[Ol Olsoc]

Those squirrels died for your computer security! Bless 'em all.

Re:

[McFortner]

I got two emails today letting me know that it appears that my Arris NVG510 UVerse Residential Gateway is infected. Since the gateway is locked down and I'm at the mercy of AT&T to push firmware updates all I could do is reboot the RG like they said.

Otherwise, I have two options: Jack and Sh*t, and Jack left town.


And PLEASE DON'T SUGGEST to change my ISP. My only other choice is Charter and they are no better.

My router was being weird

[Bite The Pillow]

First time ever, my phone keeps disconnecting from the Wi-Fi this evening. So I yanked the plug to the router and modem, it went back to normal.

Can't say its related but I never saw these symptoms before.

Re: My router was being weird

[Anonymous Coward]

No, that was me. I finally finished downloading all the porn I needed for the weekend.

Thanks for not changing your password, cupcake.

Re:

[CanadianMacFan]

Great now everyone knows the password and the bandwidth is going to suck.

VPN

[jmccue]

These days a VPN is pretty much required.

Now a rant -- Rebooting a router, are you serious ? Give me a break. So now all requests are routed through a FBI server ? I feel much safer now that I rebooted a stupid router. How about forcing a recall

Posted Anonymously for a reason

Re:

[jmccue]

Damn, the box did not take, on wee, who is stupid now :)

Re: VPN

[Anonymous Coward]

Best post ever. Hahahaha

Re: Turn everything off

[Bing Tsher E]

All the people who have never learned how to read a road map would be lost in the cities for days.

Re:

[MerlTurkin]

Ball bearings. It's always ball bearings.

The detailed Cisco break down

[waspleg]

can be found here [talosintelligence.com]. It's linked too off of the Ars Technica but for some reason not in the /. one.

Seems Odd

[dejitaru]

User: "Help! My router is infected with vicious malware" Support: "Have you tried turning it off and then on again?"

Re:

[CSMoran]

Isn't "rebooting" something you do after you INSTALL something for things to take effect?

Dude, that's some nice post hoc ergo propter hoc you got there.

Re:

[oh_my_080980980]

That's a fancy way of saying he's right....moron...

Re:

[MindPrison]

>Isn't "rebooting" something you do after you INSTALL something for things to take effect?

You're right, and if you need a reboot, it's because the device needs to finish the installation of the software, this isn't something that "randomly" made it to your router.

So you're right to question that action..

And as someone else in this thread said: Update YOUR FIRMWARE NOW!

Quick!

[Hylandr]

Now every body panic immediately and do as we tell you!

Joke's on them

[drinkypoo]

I already have to reboot my Linksys router all the time because it's so flaky. Guess Cisco is on the job of protecting me after all!

My ISP Is Helping Solve The Problem

[careysub]

Due service glitches multiple times a week - during which we power cycle the whole chain of devices from cable modem, to router, to switch, to wi-fi just to make sure everything connects correctly again - we are following the FBI's recommendation. Cheers for Spectrum!