XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
Privacy Policy
It is currently Mon Oct 15, 2018 1:21 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 12 posts ] 
Author Message
PostPosted: Wed Jun 06, 2018 3:54 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6261
Location: NYC
For list affected devices, including some Asus, scroll to near bottom of page.

https://blog.talosintelligence.com/2018 ... pdate.html

FBI recommendation was to simply reboot router. No sure if his is still true.

https://www.zdnet.com/article/fbi-to-al ... r-malware/


Last edited by WZZZ on Wed Jun 06, 2018 5:21 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Jun 06, 2018 5:21 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 15129
Thanks W! :)


Top
 Profile  
 
PostPosted: Wed Jun 06, 2018 6:10 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9897
Location: North of the State of Jefferson
Rebooting won't, by itself, solve the problem. Whatever allowed the infection to occur in the first place, a vulnerability, default password, remote administration access (please disable this!), etc., is still present. The device may not be able to reconnect by itself to a command-and-control server, but external requests could reconnect to it.

At a minimum install clean firmware immediately after rebooting. That's also no guarantee, but a good start.

Better yet, throw the thing out. Home-grade routers are, historically speaking, security Swiss cheese. In its place get a late model Apple Airport (no longer manufactured, but surprisingly secure over the time they were sold) or better yet get something running pfSense or a Linux distribution set up for routing. It will get updated, won't have artificial limitations, will have more features, will probably be faster and better built, and crucially it will have a very good likelihood of being secure.

- Anonymous


Top
 Profile  
 
PostPosted: Wed Jun 06, 2018 6:27 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10131
Location: Caught between the moon and NYC
The original VPNFilter post is here:
https://blog.talosintelligence.com/2018 ... ilter.html

Rebooting the system will dislodge the currently installed malware but the initial infection will still be present and will still attempt to re-download the payload. I would guess the FBI had dislodged some of the command and control infrastructure, but ideally one will need to reset & re-flash the router's firmware from a known good source to fully expunge it. Its possible that they are exploiting space on another part of the flash, which is partitioned into separate areas, so reflashing the firmware side may not affect the other partitions.

ASUS has published updated firmwares for most models over the past week to fix three CVEs that weren't published at the time the firmwares were released. This includes the N12, which was released a little after midnight yesterday (though who knows in what timezone).

Until relevant technical details are published and someone with a lot more technical ability than myself goes through them, we have no way of knowing if Tomato is affected by this or not. The upside is that the OEM firmwares regularly include horrifically outdated components because updated components isn't a bulletpoint on marketing's list of features they need before release, so Tomato could very well be more updated than the affected firmwares. The downside is Shibby & Toastman are mostly MIA - I believe Toastman disappeared but Shibby periodically commits code to the repository but little else. There is a FreshTomato release by two new devs, though I haven't experimented with it yet.

Interestingly enough last night I went through getting my AC68 at home ready for the latest ASUS firmwares, which have a nasty tendency to muck up the router if it detects you've flashed an T-Mobile AC1900 to an AC68. That's part of why the partitioning is fresh in my mind.

Edit: Aha, yes, the FBI did at least partially disrupt the stage 2 network:
https://arstechnica.com/information-tec ... r-routers/


Top
 Profile  
 
PostPosted: Thu Jun 07, 2018 1:32 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6261
Location: NYC
MB, please let me know if your hear anything definitive about Tomato being vulnerable to VPNFilter or not.

>>...Router owners should always change default passwords and, whenever feasible, disable remote administration. For extra security, people can always run routers behind a proper security firewall. Williams said he has seen no evidence VPNFilter has infected devices running Tomato, Merlin WRT, and DD-WRT firmware, but that he can't rule out that possibility.
https://arstechnica.com/information-tec ... e-thought/


Top
 Profile  
 
PostPosted: Thu Jun 07, 2018 5:42 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10131
Location: Caught between the moon and NYC
Yeah, if your router is running busybox and it contains a MIPS CPU then it's possible VPNFilter will attack it. Ubiquiti Edgerouter (and UniFi) equipment is MIPS based but it runs on an odd OS I've never seen before (and haven't gotten the hang of configuring by hand yet).

Crud, I just realized I meant to check and see if an update was available for the couple Netgear pieces I have at home. I don't think its MIPS based but OEM stuff is inscrutable since you never have terminal access to it. I might ditch it now that they got AiMesh working on AC1900s again.


Top
 Profile  
 
PostPosted: Fri Jun 08, 2018 6:17 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6261
Location: NYC
"busybox, MIPS CPU" -- huh? How related to Asus N-12 running Tomato and vulnerability to VPNFilter? Please explain.


Top
 Profile  
 
PostPosted: Fri Jun 08, 2018 12:25 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10131
Location: Caught between the moon and NYC
Tomato runs on a Linux-like OS called busybox. The CPU inside an RT-N12D1 is a MIPS CPU Revision 2. (MIPSR2). VPNFilter targets (a subset of) routers running on MIPS CPUs that are running busybox.


Top
 Profile  
 
PostPosted: Fri Jun 08, 2018 1:20 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6261
Location: NYC
Got it, thanks. Not using default login pword, no remote access. So don't think I'm going to start futzing with a reset and Tomato reinstall. No time for that now anyway. Btw, probably doesn't mean that much but that link I gave to start off this thread showing updated list of affected routers doesn't mention the N-12, just the N-10.


Top
 Profile  
 
PostPosted: Fri Jun 08, 2018 1:59 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9897
Location: North of the State of Jefferson
It will be very helpful to hear how these devices are being attacked. If anyone other than the attackers know, I haven't heard it yet. At some point we'll probably find out. Until then, it's very hard to respond or protect a device.

Maybe you could put your router behind a router. Of course, that router will need to be protected, so drop in another router. It's routers all the way down.

- Anonymous


Top
 Profile  
 
PostPosted: Fri Jun 08, 2018 2:52 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10131
Location: Caught between the moon and NYC
I noticed that but depending on the N10 there can be little to no difference to an N12. The biggest difference may be that the N12 is still being sold while the N10 is not, as a result the firmware for the N10 is older - the N10 I have (turned off and sitting on a shelf) was last updated in January, while the N12 was last updated a couple days ago.

I did find it ironic for people to suggest people put a bridge-mode firewall in-line with the WAN port. Which very well could also use a MIPS CPU and be based on busybox...


Top
 Profile  
 
PostPosted: Fri Jun 08, 2018 3:54 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6261
Location: NYC
Quote:
It's routers all the way down.

:lol:


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group