Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – reboot your routers

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch Lady – reboot your routers

    This topic contains 122 replies, has 34 voices, and was last updated by  Mr. Natural 4 days, 1 hour ago.

    • Author
      Posts
    • #194666 Reply

      Susan Bradley
      AskWoody MVP

      Just spotted this on the FBI site – https://www.ic3.gov/media/2018/180525.aspx The FBI seized the domain that was holding over 500,000 home routers th
      [See the full post at: Patch Lady – reboot your routers]

      Susan Bradley Patch Lady

      13 users thanked author for this post.
    • #194671 Reply

      Kirsty
      AskWoody MVP

      There has been a lot of commentary on this in the last few days…

      FBI tells router users to reboot now to kill malware infecting 500k devices

      Feds take aim at potent VPNFilter malware allegedly unleashed by Russia.
      Dan Goodin – 5/26/2018

      Authorities and researchers still don’t know for certain how compromised devices are initially infected. They suspect the attackers exploited known vulnerabilities and default passwords that end users had yet to patch or change. That uncertainty is likely driving the advice in the FBI statement that all router and NAS users reboot, rather than only users of the 14 models known to be affected by VPNFilter, which are…

      The advice to reboot, update, change default passwords, and disable remote administration is sound and in most cases requires no more than 15 minutes. Of course, a more effective measure is to follow the advice Cisco gave Wednesday to users of affected devices and perform a factory reset, which will permanently remove all of the malware, including stage 1. This generally involves using a paper clip or thumb tack to hold down a button on the back of the device for 5 seconds. The reset will remove any configuration settings stored on the device, so users will have to restore those settings once the device initially reboots. (It’s never a bad idea to disable UPnP when practical, but that protection appears to have no effect on VPNFilter.)

      Read the full article here (related tweet too)

       
      and from talosintelligence.com:
      New VPNFilter malware targets at least 500K networking devices worldwide
      May 23, 2018

      Due to the potential for destructive action by the threat actor, we recommend out of an abundance of caution that these actions be taken for all SOHO or NAS devices, whether or not they are known to be affected by this threat.

      Read the full article here

    • #194682 Reply

      Noel Carboni
      AskWoody MVP

      It would be nice if someone would come up with a legitimate way to actually CHECK to see if the malware is running on one’s router.

      -Noel

      10 users thanked author for this post.
      • #194683 Reply

        Kirsty
        AskWoody MVP

        From Dan Goodin:

        There’s no easy way to know if a router has been infected by VPNFilter.

        From talosintelligence.com:

        Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues.

        (from the links above)

        8 users thanked author for this post.
        • #194707 Reply

          Noel Carboni
          AskWoody MVP

          So a security firm can tell us half a million routers are infected, but there is no easy way to tell if one is infected?

          And did anyone notice the cute little marketing graphic (with the catapult in it) in one or another of those articles for this particular malware?

          I respect that investigators may not know everything about this yet, and of course there is a need for them to keep things close to the vest while investigating, but is it just me who thinks that the things we’re being told may be at least in part being put out there just to make us react or to prepare us to buy something in the future?

          By the way, this article lists particular models affected:

          https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

          -Noel

          12 users thanked author for this post.
          • #194718 Reply

            DrBonzo
            AskWoody Lounger

            The Symantec link in Noel’s post above says that Symantec and Norton products detect the malware as Linux.VPNFilter. Does this mean that their antivirus software can tell if your router is infected? If so, that seems odd to me, although it would be nice if, for example, Windows Defender or Microsoft Security Essentials can detect an infected router.

            • #194725 Reply

              Microfix
              AskWoody MVP

              No AV that I know of, can detect if the router is compromised, only what gets through to the your PC will it then be picked up by the up-to-date Antivirus (in that case; Linux.VPNFilter).

              AV’s are mainly for Windows based devices to protect from crud getting in/ propegating and going out. Most routers are linux/unix based with an HTML interface which makes this strain rather uncomfortable with no means of avoidance as yet.. Noel is spot on asking whether there is some sort of check for this.

              [rant on] This should be monitored and stopped at ISP level, before it even hits our routers, easy money for old rope with ISP’s [rant off]

              | 2x Group A W8.1 | Group A+ Linux Hybrid | Group A W7 | Group W XP Pro |
                No problem can be solved from the same level of consciousness that created IT - AE
              4 users thanked author for this post.
            • #194874 Reply

              anonymous

              Yeah, no.  My ISP should not be capable of determining whether or not I’m infected by a virus.  I’d rather not have my them filtering and logging my traffic.

          • #194735 Reply

            Ed
            AskWoody Lounger

            Sweet… glad I decided to go with a D-Link last year after I finally got fed up with constantly having to reset a two year old Linksys!

            1 user thanked author for this post.
          • #194833 Reply

            Kirsty
            AskWoody MVP

            By the way, this article lists particular models affected:

            The confirmed affected models are fully listed in Dan Goodin’s article, linked above
            🙂

            2 users thanked author for this post.
          • #194871 Reply

            MrJimPhelps
            AskWoody MVP

            My router is in the Symantec list. However, I did a firmware update about two months ago, rebooting it at that time. Hopefully that will be sufficient.

            Group "L" (Linux Mint)
            with Windows 8.1 running in a VM
          • #194878 Reply

            anonymous

            Noel: The security firm can tell us 500k devices are infected as those are the ones they’ve seen phone home to ToKnowAll.com. I suspect the FBI is requesting users to reboot their routers in order to better determine how many devices are infected.  If it runs a command and control system, then they may also have a deactivation code that the virus will run when it calls home.

            There’s no sane way of determining whether or not a router has been compromised.  It looks like “Stage 1” is stored in firmware, so if you wanted you could download the firmware and analyze it.  Routers are designed to minimize their attack surface by default; the amount of services they run is generally limited.

          • #195038 Reply

            Mr. Natural
            AskWoody Lounger

            It was Cisco Talos that first reported the issue. Talos is a worldwide security center in the cloud owned by Cisco. As many know the far majority of routers worldwide are made by Cisco. I’m not here to promote Cisco. Most of my experience has been with Sonicwall and only started working with Cisco in the past several years.

            Any packet of information that passes through a Cisco router also is routed through the Talos security center. I attended a Talos seminar over a year ago and learned how it works. They are color coding packets and packets are routed according to their color status. So things like known bad packets are automatically directed to the appropriate container or location. Everything is routed according to color. They can determine where a threat originated and shut down the entire chain. I guess they have to follow legal channels which is why these things don’t get shut down right away.

            I was impressed and soon after that I start hearing about other organizations going in this direction. I can’t say about the color coding thing, that may be exclusive to Cisco. But Microsoft’s new Defender on Windows 10 Enterprise now has a similar approach with a command and control center. The full featured product only works on the Enterprise version but I’ll bet Microsoft is collecting information from any computer using Defender.

            The anti virus we use now works like this as well.

            You can view worldwide threats and security reports that seem to come out every day at Talos. Check it out. Warning, it may be depressing to see how bad it is out there on the internet(s).  🙂

            https://talosintelligence.com/

            2 users thanked author for this post.
    • #194692 Reply

      Microfix
      AskWoody MVP

      Brief technical breakdown:

      The VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations.

      The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device.

      My bolding within quote from https://blog.talosintelligence.com/2018/05/VPNFilter.html

      Looks to me like a reboot is not suffice to erradicate this strain. Perhaps a router hard reset is required with manual/ automagic ISP reconfiguration?

      ..recommends any owner of small office and home office routers power cycle (reboot) the devices.

      Quoted from here with my bolding: https://www.ic3.gov/media/2018/180525.aspx

      I’m skeptical of their solutions given the stages involved..surely the router NEEDS a hard reset..

      Thoughts on this?

      | 2x Group A W8.1 | Group A+ Linux Hybrid | Group A W7 | Group W XP Pro |
        No problem can be solved from the same level of consciousness that created IT - AE
      3 users thanked author for this post.
      • #194693 Reply

        satrow
        AskWoody MVP

        Yes, sounds like a full hard reset (or a re-flash) is required but, as Noel suggests above, we also need a method to check for infection.

        7 users thanked author for this post.
        • #194704 Reply

          Ascaris
          AskWoody MVP

          It may be that flashing the same image that’s already installed (if there is no new one available) will overwrite the malware, if the router in question is infected.

          My router, like so much of my gear, is old but still kicking… it dates back to about the same time as my beloved Core 2 Duo laptop, which is to say about 2008.  It’s a Netgear WNDR3700, in the original v1 hardware revision, and it hasn’t had an update from Netgear in many years (thinking the latest was 2010).  Fortunately, it is a popular model of router, so there are drop-in firmwares from DD-WRT, Gargoyle/OpenWRT, and maybe more.

          I use DD-WRT personally… it gives me a lot of options I never had in the original firmware, and it is still being patched for vulnerabilities as they are discovered.  These alternative firmware images are available for a lot of popular routers, so if your vendor has abandoned you as Netgear did with mine, you may still have that as an option.

          4 users thanked author for this post.
          • #194734 Reply

            MW
            AskWoody Lounger

            I’m have the same thing going.  My Netgear dates back to 2007ish. It’s a WGR614 also running the original firmware it came with.

            It’s currently not on the list.  Probably too old to be bothered with.

            Using W7, W8.1, Mint-Cinnamon, Mac El Capitan and Mac Sierra

          • #195081 Reply

            cesmart4125
            AskWoody Lounger

            What is DD-WRT?  Thanks.

            • #195101 Reply

              jelson
              AskWoody Lounger

              What is DD-WRT? Thanks.

              There is a  DD-WRT homepage you can check out. But a recent Lifehacker article, The 7 Best DD-WRT Routers to Buy in 2018, answered your question well:

              With DD-WRT firmware installed on a router, you have access to a variety of features such as the ability to prioritize connections, maximize quality-of-service over the network, as well as the ability to use hardware not connected to your network. Ultimately, DD-WRT-compatible routers are all about giving you more control, power and flexibility.

            • #195270 Reply

              NightOwl
              AskWoody MVP

              @ jelson

              But a recent Lifehacker article, The 7 Best DD-WRT Routers to Buy in 2018,

              I did a Google Search for the link to the article you mentioned by name–it came back as being a *Lifewire* article–here’s the link:

              The 7 Best DD-WRT Routers to Buy in 2018

              NightOwl

              No question is stupid ... but, possibly the answers are 😉 !

      • #194881 Reply

        anonymous

        They’re asking for the reset so they can track “phone home” traffic to better determine the amount of infections.  Like other black site seizures, if the virus follows a command and control architecture (which it looks like it does) then the FBI may be sending an idle or sleep command to the device after it calls in.

        To fully remove it will require flashing the unit/a hard reset.  Also it’s best to install the latest firmware you can, or maybe look at installing DD-WRT/Tomato if you’re tech-inclined.  The issue may be a firmware vulnerability, but more likely it wasn’t and users didn’t change default passwords.

        2 users thanked author for this post.
    • #194709 Reply

      Sam
      AskWoody Lounger

      So I am a little confused. If I unplug my router and then plug it back in will this take care of the problem and reboot my router

      • #194713 Reply

        Microfix
        AskWoody MVP

        I’d hang fire until more info regarding the issue is released. Personnally I don’t think a router reboot will fix the problem, if the router is compromised. Read my concerns in the post above (my bolding)

        | 2x Group A W8.1 | Group A+ Linux Hybrid | Group A W7 | Group W XP Pro |
          No problem can be solved from the same level of consciousness that created IT - AE
        2 users thanked author for this post.
        • #194731 Reply

          Noel Carboni
          AskWoody MVP

          I suspect, from the tenor of the FBI advisory, that a freshly rebooted router may send out a query to the web site that they have seized, so that they can then take further action including, I don’t know, maybe actually contacting you – presuming they can derive your name/address from your IP address.

          That’s just a Scientific Wild A** Guess.

          -Noel

          4 users thanked author for this post.
          • #194772 Reply

            Peacelady
            AskWoody Lounger

            I suspect, from the tenor of the FBI advisory, that a freshly rebooted router may send out a query to the web site that they have seized, so that they can then take further action including, I don’t know, maybe actually contacting you – presuming they can derive your name/address from your IP address.

            Hi Noel,
            Were you having fun with us or are you warning against rebooting? It’s hard to tell from your smiling picture? 🙂

            • This reply was modified 3 weeks ago by  Peacelady.
            1 user thanked author for this post.
            • #194793 Reply

              Bob99
              AskWoody Lounger

              @peacelady

              I believe Noel was being very honest with us, not trying to warn us at all. The first of the three stages of the malware is persistent and can survive a reboot of the router, but the other stages won’t survive the reboot.

              When the first stage finds no second stage present on the router, it will “phone home” to try to get a second and/or third stage sent to it from “home”.

              However, in this case, one of the more prominent “homes” has been taken over by the FBI, so the FBI will know you’re infected, and add your IP address to their list in order to better proceed with their investigation and (I hope) eventual prosecution. I believe this is what Noel was trying to convey. The FBI right now is probably just interested in how widespread this infection may be within the U.S. or other countries.

              If they really need to, the FBI can find you based upon your IP address after getting a subpoena or other documents from a court with proper jurisdiction. After all, your ISP has your name and address in their records which the above-mentioned subpoena would compel them to provide.

              6 users thanked author for this post.
            • #194798 Reply

              Peacelady
              AskWoody Lounger

              @bob99
              My apologies to you and Noel — I misread Noel’s reply to mean that the hackers could get in touch with us, not the FBI!
              Since I was a little afraid of doing a factory reset (which I may attempt at a later time) I did the reboot and changed the passwords and made sure that the other settings like disabling the remote management and remote access, etc. were all in place. I am eternally grateful to all on this blog for giving us the awareness of these potential threats. I don’t make a move until I consult the good folks here. I am learning a great deal standing on the shoulders of those who have so much knowledge and share it with us. Thank you!

              1 user thanked author for this post.
          • #194804 Reply

            Kirsty
            AskWoody MVP

            …from the tenor of the FBI advisory, that a freshly rebooted router may send out a query to the web site that they have seized, so that they can then take further action…

             

            And did anyone notice the cute little marketing graphic (with the catapult in it) in one or another of those articles for this particular malware?

            5 users thanked author for this post.
      • #194742 Reply

        anonymous

        @ Sam

        They suspect the attackers exploited known vulnerabilities and default passwords that end users had yet to patch or change.

        The advice to reboot, update, change default passwords, and disable remote administration is sound and in most cases requires no more than 15 minutes. Of course, a more effective measure is to follow the advice Cisco gave Wednesday to users of affected devices and perform a factory reset,…

        If you had already done the latter(quote), your router is unlikely to be infected. Also, disable WPS or WDS.

    • #194710 Reply

      Peacelady
      AskWoody Lounger

      Please excuse my ignorance but if my router is connected by an ethernet cable does this problem still apply?  Thanks to all for keeping us apprised of all these new threats.

      • #194711 Reply

        Microfix
        AskWoody MVP

        The problem will still apply whether connected via ethernet cable or wireless, if you are unlucky enough to have one of the aforementioned routers in Noels link.

        | 2x Group A W8.1 | Group A+ Linux Hybrid | Group A W7 | Group W XP Pro |
          No problem can be solved from the same level of consciousness that created IT - AE
        3 users thanked author for this post.
        • #194712 Reply

          Peacelady
          AskWoody Lounger

          Thx Microfix for the speedy reply!  Am I correct in not seeing my router in the offending list — the Verizon Quantum Gateway Router?  And if it is not affected I guess just a precautionary reboot would be appropriate rather than the factory reset?

          • This reply was modified 3 weeks ago by  Peacelady.
          1 user thanked author for this post.
          • #194715 Reply

            Microfix
            AskWoody MVP

            It’s entirely up to you if you feel it may be safer to do so. See my last reply to @sam

            | 2x Group A W8.1 | Group A+ Linux Hybrid | Group A W7 | Group W XP Pro |
              No problem can be solved from the same level of consciousness that created IT - AE
            1 user thanked author for this post.
            • #194716 Reply

              Peacelady
              AskWoody Lounger

              Much obliged Microfix – I’ll probably do a factory reset later today so I don’t have to worry about this anymore.  I have a copy of all my current settings so I can redo everything. 🙂

              1 user thanked author for this post.
            • #194723 Reply

              Microfix
              AskWoody MVP

              Fortunately, I have config.ini backups over long different time periods for used and current routers so, for us it was ‘import settings’ and restart of the router, which brought things up to scratch straight off. and to be on the safe side, I swapped router too which hadn’t been used since 2015.

              | 2x Group A W8.1 | Group A+ Linux Hybrid | Group A W7 | Group W XP Pro |
                No problem can be solved from the same level of consciousness that created IT - AE
        • #194885 Reply

          anonymous

          If your router or NAS isn’t on the list, still reboot and look into firmware upgrades.  This problem may affect all Linux hardware appliances.  The only difference between the ones on the list and those that aren’t may be down to the default password the system uses.

          Assume this isn’t a firmware issue; if any of your devices are still running default User/Password: update, flash, change password.  If they’re on the list (no matter the password they use): do the same.

    • #194719 Reply

      Sam
      AskWoody Lounger

      Woody

      Would you comment on this and let us all know what you think and what gyou recommend?

      Thanks

      Sam

       

      1 user thanked author for this post.
      • #194890 Reply

        woody
        Da Boss

        I’m traveling and have very limited access to my computer.

        It seems pretty obvious that everybody should unplug their router and plug it back in again.

        The MVPs know a whole lot more about this stuff than I do.

        3 users thanked author for this post.
      • #194925 Reply

        ch100
        AskWoody MVP

        Sam, I think you have all that you need in the original post from Susan Bradley.
        You don’t have to over-react and do what other posters say here, which is to reflash just for the sake of it, but you should reboot the router and/or unplug, leave for 30 seconds and plug back in. This is good practice and you may consider doing it more or less regularly, once a month or whenever suits.
        The password should be changed from default.
        This is the most important thing and possible the only one required.
        If there are updates for the router, then you should consider installing the latest to be up to date, with a bit of waiting time if this concerns you in general about new releases.

        5 users thanked author for this post.
    • #194720 Reply

      anonymous

      Unplugged and factory reset done! My router isn’t on the list, but the list could always change and grow. I never previously edited any of my router settings so a factory reset didn’t lose any settings for me, but this time however I also turned off UPnP. I read it’s not ideal to keep on so I’m glad I changed that at least.

      2 users thanked author for this post.
      • #194745 Reply

        anonymous

        After Factory Reset, users should change the default Admin password and disable Remote Management or Remote Access and WPS/WDS.?

        1 user thanked author for this post.
    • #194722 Reply

      Rick Corbett
      AskWoody Lounger

      I have no idea what the situation is like in the US but would just like to mention that carrying out a hard reset of a DSL modem here in the UK can be a *real* pain unless you’ve made a note of your username and password as a bare minimum.

      From several previous experiences, trying to explain to an ISP support person in Chennai why the device was hard reset and you’ve subsequently lost all connectivity can be… interesting, especially when the support person only has a script that he/she is required to follow. Good luck with the phone bill… I just hope you’re not using a mobile phone to ask for support…

      Also, my ISP (known locally and colloquially as ‘Virgin on the ridiculous’) provides re-badged and locked down 3rd-party wireless cable modem/routers. As a result, reboots are easy (I have a script) but a huge amount of normal settings are just locked away from customers.

      Hope this helps…

      2 users thanked author for this post.
      • #194732 Reply

        Noel Carboni
        AskWoody MVP

        Clearing / resetting / reflashing such a key piece of communications gear always comes with some risk. It might not come back on properly, or you might not have all the info you need to reset the config, or…

        It’s the folks we don’t hear back here I’m worried about. Good luck to all.

        -Noel

        7 users thanked author for this post.
    • #194729 Reply

      BobbyB
      AskWoody Lounger

      Meanwhile, Linksys is advising customers to change administration passwords periodically and ensure software is regularly updated

      Thx to @NoelCarboni for the link.

      Its worth noting, and I am sure all our Tech “savvy viewers” in here will already know this already, that passwords of a complex nature are essential. Many just plug everything in, it works and then “off to the races.” Most routers I have seen have just been set as User:admin P\W:<blank> out of the box.

      If you haven’t done so, set a complex password structure Upper, Lower Case even throw a few random “wild cards” in there. Something to add to your “scratch pad” with all the other passwords, that your not supposed to leave around your machine but everyone does alas. 🙁

      4 users thanked author for this post.
      • #194946 Reply

        Ascaris
        AskWoody MVP

        If such a setting exists for your particular router, it’s best to set it to not allow remote (WAN-side, or, in other words, from any point out on the internet rather than from a PC on your local network) administration or login, which (hopefully) is the default setting for any consumer router, but you never know.  It’s good to change the password from the default too, of course, but with remote admin disabled, it should be impossible to log in from the internet even with the password, if everything is working as it should.

        Regular home users will almost certainly have no use for remote administration anyway, so just make sure it’s OFF if there is a setting for it.  I don’t know if that would help in this particular situation, but it’s just a good idea to have it off anyway if you don’t have a specific need for it.

        I’ve read some details about this malware, but the reports so far have been a little short on details regarding the attack vector.  Having default passwords (in anything) is a security risk in general, but is it a definite factor in this particular attack?  I can’t tell if the advice to change the factory password is being offered as a general “best practice” kind of thing, like with my suggestion to turn off remote admin, or if it has confirmed relevance to this particular case.

        The original blog post revealing the malware mentions (repeatedly) that several routers on the “affected” list have known security vulnerabilities.  Again, is the presence of those security vulnerabilities directly relevant to this particular malware, or is it just a suggestion that the vulnerabilities exist, and therefore that they may have played a role?  I’d like to know more about how exactly it gets the code injected and executed by the router!  Is this info being withheld for a security-related reason, or do researchers just not know yet?  Or maybe it has been revealed, but I missed it… the mind boggles.

        It appears that the particular malware only affects routers running on x86 or MIPS architectures, or at least, those are the only ones mentioned by the Talos post as being subjects of their analysis.  That doesn’t mean that we can be sure other variants do not exist, but the threat in question does not appear to affect them so far.  We can speculate that maybe it does affect them and we just don’t know about it yet, which is possible, but there could be any number of threats we don’t know about yet that could potentially be out there if we’re going to speculate.

        For those of us who own routers that allow the user to log in to a Linux shell session, at least that blog post offers the potential of detecting infection… the malware creates root-level directories that are named after itself, so if you find those directories, you’ve been infected.  Unfortunately, this is not likely to be a detection method that is usable for “regular” people who don’t live and breathe computer stuff.

        In my case, the CPU in my router is an Atheros (now Qualcomm, but mine was made before Qualcomm acquired Atheros), so it looks safe for now on that basis.  EDIT: This is wrong!  My Atheros CPU uses the MIPS architecture, I have learned.  Back to “I don’t know” in terms of why it is not on the list of vulnerable routers.

        Without knowing what the attack vector was, I don’t know if my router is any safer because it uses DD-WRT firmware… I only know that the DD-WRT firmware means I still get updates, whereas the factory firmware has not been updated for nearly a decade, and that’s good for security in general.  That doesn’t mean the particular vulnerability isn’t still in there, since I don’t know what it was.

        • This reply was modified 2 weeks, 4 days ago by  Ascaris. Reason: Factual error on my part fixed
        2 users thanked author for this post.
    • #194755 Reply

      anonymous

      I’ve performed a power cycle on my router even though it’s not on the list, however I’m nervous about performing any kind of firmware update.  The last time I did a firmware update for my router, the router itself brick’d, even though I matched the rather complicated serial number Belkin issues them.  Rather not have to have the family shell out for another one if a firmware update goes bad again.

      • #194763 Reply

        Ascaris
        AskWoody MVP

        Many or most routers can be debricked using telnet or ssh (secure shell, which is really similar to telnet)… I’ve had it happen to my Netgear router with DD-WRT several times, but I just debrick it (which takes only a few minutes) and get on with things.  I hadn’t even remembered that it had happened until you mentioned this!

        It’s a bit technical, but not overly difficult, per se; you can research debricking your model and see if it looks like something you could do.  If not, perhaps someone you know can help.  I know that not everyone has a nerdy friend who can do these things at will, but if you can, it would be better than having to buy a new router if the old one can be made to work again.

        • This reply was modified 3 weeks ago by  Ascaris.
        2 users thanked author for this post.
        • #194769 Reply

          EricEWV
          AskWoody Lounger

          I’m the anon above, it’s a bit concerning seeing as you mentioned Netgear, seeing as my replacement for the dead Belkin is a Netgear, and I don’t think I’ll be able to make heads or tails of either TelNet or SSH, just from Googling what they are.  I’m the most tech savvy of my immediate family with a grandfather who is even moreso (primarily self taught), but I don’t think he’d understand those either.  I may be in a bit of a spot in this case.

          • #194872 Reply

            MrJimPhelps
            AskWoody MVP

            I consider Netgear to be some of the better networking equipment. I believe you have less to worry about with Netgear than with other brands.

            Group "L" (Linux Mint)
            with Windows 8.1 running in a VM
            1 user thanked author for this post.
          • #195222 Reply

            Ascaris
            AskWoody MVP

            EricEWV,

            I certainly don’t remember the commands to type into the telnet or SSH shell either.  Most of the time, with things like this, I have to look them up to make sure I am getting them right… I just remember that the command exists and about what it can do, so that if the need arises, I can search for it and get the exact specifics I need right at that time.  You don’t need to “know” the commands as far as having them memorized… I sure don’t!

    • #194765 Reply

      moonbear
      AskWoody Lounger

      The first Ars Technica article that reported VPNFilter said that it had been active since at least mid 2016, doesn’t it sound just a little bizarre that this is the first we’re hearing anything about it at all considering all the things its supposed to be able to do?

      2 users thanked author for this post.
      • #194774 Reply

        OscarCP
        AskWoody Lounger

        Perhaps we have not heard about this since 2016 because only now an actual exploit has been both detected and announced to the public, in this case by the FBI.

        • #194785 Reply

          moonbear
          AskWoody Lounger

          That’s definitely a strong possibility but I just can’t shake this feeling that there’s a deeper issue here since there wasn’t a news story about it before there were 500,000 devices infected in 54 countries. The below quote is part of why I think this isn’t quite what we’re being lead to believe.

          So a security firm can tell us half a million routers are infected, but there is no easy way to tell if one is infected?

          Did no one think we’d want to know something like that?

          • This reply was modified 3 weeks ago by  moonbear.
          3 users thanked author for this post.
    • #194777 Reply

      anonymous

      Security companies reporting vulnerabilities like this should be more specific regarding the issue and its fix or workaround. Otherwise, at the rate problems like these are occurring, work efficiency will go down the drain when you have to spend hours of your day looking on how to patch things. Moreover, I certainly don’t understand why a software developer can release a complete change log, while a hardware company issuing a firmware can’t do the same and a lot of times you have to guess what was fixed or changed. I’m really getting tired of this irresponsible behavior.

      3 users thanked author for this post.
    • #194842 Reply

      arfurdent
      AskWoody Lounger

      That’s definitely a strong possibility but I just can’t shake this feeling that there’s a deeper issue here since there wasn’t a news story about it before there were 500,000 devices infected in 54 countries. The below quote is part of why I think this isn’t quite what we’re being lead to believe.

      So a security firm can tell us half a million routers are infected, but there is no easy way to tell if one is infected?

      Did no one think we’d want to know something like that?

      possible that someone is counting the hit rate on the domain that the FBI seized

      2 users thanked author for this post.
      • #194949 Reply

        moonbear
        AskWoody Lounger

        that’s true, but at the same time that just reinforces just how wrong all of this feels. Given the kind of research being done to find out how many devices are infected and where they are (and the almost 2 years VPNFilter has been reported to have been active), wouldn’t one assume that the people researching this would also look into a way for even non experienced users to look at their equipment and see if it was infected? I would hope that would be the second thing on the list after they contact the authorities. As of right now this does not appear to be the case and one has to wonder why. I’m not saying anything dark or nefarious is actually going on, it just seems like a very crucial step was missed.

    • #194843 Reply

      Kirsty
      AskWoody MVP

      For general Router Security questions or information, a really good resource is Michael Horowitz’ dedicated website: https://www.routersecurity.org/

      13 users thanked author for this post.
    • #194858 Reply

      Mele20
      AskWoody Lounger

      It sounds like a lot of you have ancient routers that do not automatically install firmware updates.  Linksys says if you have a newer Linksys router with automatic firmware updates (that you did not turn off) there is little if any worry.  The newer Linksys routers also force change of password during setup and Linksys thinks the older routers with generic well known passwords that many users didn’t change are the vulnerable ones as those are also ones that do not automatically install firmware updates and many users never seek out the latest firmware.

      https://www.linksys.com/us/support-article?articleNum=246427

      Plus, Linksys now has 5 years warranty and free phone support in most of the world…the USA being the big exception but it is getting better here because of users like myself who are shocked and angered to learn that most everywhere else we would get a lot more than 1.5 years of free phone support and one year of warranty (now 1.5 years even if the fine print says 1 years and these bad polices are being changed in the USA gradually).

      Also, if you buy the same router from Amazon as a business router rather than home you get 5 years free phone support here in the USA and the router price is the same whether designated as a business router or home one…this is for some popular routers…mine included but I didn’t know this when I bought mine from Dell instead of from Amazon.  If you have a newer router, with reasonable warranty length and phone support, call them and have a phone tech walk you through a factory reset if you are nervous about doing it and check your router settings to see if you have the latest firmware.  If it is an older router out of warranty and support, hopefully you purchased one that can be flashed with open source firmware that is up to date.

       

      4 users thanked author for this post.
      • #194941 Reply

        Noel Carboni
        AskWoody MVP

        My problem with “do it the prescribed way” thinking is this: If it’s the most common way everyone does something because it’s the default, it’s the most likely to be attacked.

        Can you think of any ways that a router that’s going out online and seeking new firmware could be compromised? I don’t know, maybe by someone spoofing the legitimate manufacturer’s firmware download web site and substituting their own firmware, which now contains the very malware people are so worried about?

        I’m not saying this is how things have been done, but just that the possibility exists. Having things auto-patch themselves is not always the best approach, IMO, if you’re willing to take charge of the process.

        This is not a criticism of your point of view, just an alternate thought stream that questions the status quo…

        -Noel

        3 users thanked author for this post.
        • #194948 Reply

          anonymous

          “spoofing the legitimate manufacturer’s firmware download web site and substituting their own firmware”

          Given it’s supposed to be 500,000+ known infected, it would have to be some such automated comms employed to deliver the malware.

          But this call to reboot routers, everyone, rings a little hollow for me. And any action based on it is speculative at best. On the face of it, it sounds like paranoia, given there is no real time examples of infection and its results, and the malware can’t be detected by me or you – whoever ‘you’ are.

          In fact, to reboot routers based on this FBI advice, is little more than ‘following orders’. ‘Cause we don’t really know why or what’s going on. Does anyone here have any experience of being hit by this malware, or actually know of anyone?

          1 user thanked author for this post.
          • #194955 Reply

            anonymous

            The idea of rebooting the router “works” if the malware is only in RAM. However, from the information reported, it sounds like it has a higher stronghold.

            By the way, rebooting is one thing, and resetting another. I read some people actually resetting their routers and that could make things much worse since if the router is not reconfigured properly it could be exposed even more. So, the advice given is poor at best, dangerous at worst. They should have contacted the manufacturers affected requesting them to publish step by step advisories on how to secure the products and then instruct people to check their websites.

            1 user thanked author for this post.
            • #194960 Reply

              anonymous

              “They should have contacted the manufacturers affected requesting them to publish step by step advisories”

              That would be the responsible, and intelligent thing to do, ‘if’ they want to fix the said problem.

              Instead they issue ‘advice’ to the general public who ‘generally’ know nothing about these things and are likely to follow such advice and cause more problems, at least for themselves – with knock-on effects.

              Sure, there ‘may’ be this malware out there, but something else is going on … FBI fishing regardless of collateral effects maybe?

              Clearly, with cyber risks on the rise there needs to be a more streamlined and reliable way of being informed.

              1 user thanked author for this post.
            • #195226 Reply

              Ascaris
              AskWoody MVP

              I wonder if using the router’s backup/save/export settings function, if it has one, would save the malware on an infected router.  My thought is that it wouldn’t, but I don’t know this for sure.  You could save the settings, do the factory reset, then import or restore the settings you just saved.  That might work, but only if a factory restore would work in the first place.

              I don’t know for sure it would work, and I am not suggesting anyone do this, just to be clear… just throwing it out there as an option that people may not have thought of.

    • #194965 Reply

      Kirsty
      AskWoody MVP

      An excellent thread from Catalin Cimpanu on VPNFilter includes a lot of information, including that Stage 2 does not survive reboot, and that Stage 1 does not survive hard reset (to factory settings). (Stage 2 wipes firmware, temporarily bricking devices, as mentioned above.)

      9 users thanked author for this post.
    • #194982 Reply

      Sam
      AskWoody Lounger

      I want to thank everyone who responded to my question if just unplugging my router and then plugging it back in would solve the problem or not.

      With all the problems going on with the Russians and others if when not using your router and all the devices attached to it wired or wireless you just unplug it.  When you want to use it you just plug it in and wait a couple of minutes for it to reboot  and you are set to go.

    • #194985 Reply

      Mr. Natural
      AskWoody Lounger

      Hey gang,

      I learned of this last week. I tried to read over all the posts but if you all don’t mind I’ll throw my 2 cents in. The situation is the command and control center of the malware is now under control of the FBI. A reboot of your router will disable some malicious aspects of the malware. The reboot will still contact the command and control center, but it is now under control of the FBI so the problem is somewhat mitigated by a simple reboot. I do not recommend doing a factory reset of the device unless you are confident you can get your internet connection working again on your own. A lot of home routers make it fairly easy to configure and if you have a manual for the device you can try resetting the unit if you like. It is very important to routinely update the firmware (software) of your router. If you have not updated your device within the past few months or more you’re device may be compromised. Not necessarily from this exploit, but many others that are out there. Also be sure you have changed the default password to log into your router. Many have the username of admin which cannot be changed, but if you have not changed the password from whatever it originally came with, you need to change and make your own password.

      Regarding rebooting your router. Some of you may be using Uverse or other AT&T internet and may have one device which handles your internet and wireless connections. I have cable internet with a router provided by my isp and I have a Netgear r7000 for my wireless connection. The r7000 is one of the targeted models. In my situation I need to reboot my Netgear wireless router. I did so and updated the firmware even though there is not an official fix yet.

      For those of you with one device for internet, simply unplug it, wait 15 seconds or so and plug it back in. In this situation it will affect your tv as well. Give it 5 minutes and everything should come back up. If you don’t have internet, restart your computers.

      For those like me you will have 2 devices. The cable “modem” as they still call it and a wireless router is connected to the “modem” for wireless connectivity. The cable modem is managed by my isp. Most wireless routers will have one or more antennae on it. In my situation the cable “modem” is a Cisco so I am not too concerned about that. But here’s what you would normally do. Unplug both devices for 15 seconds. Then first plug the cable “modem” back in. Give it a minute or more to boot. Then plug the wireless router back in and give it some time to fully boot. Things should be back up in 5 minutes or so.

      If you ever lose your internet connection this will also be the first thing your ISP will tell you to do so keep this in mind. This will sometimes fix an outage unless it is an area wide outage.

      • This reply was modified 2 weeks, 5 days ago by  Mr. Natural.
      7 users thanked author for this post.
    • #194993 Reply

      Peacelady
      AskWoody Lounger

      Please excuse my ignorance:  I have a FIOS Quantum Gateway which has the setting  “Wireless turned off”.  In this case, using ethernet and having the wireless always turned off am I still at risk for the VPNFilter?  I also rebooted and changed all the passwords, etc.  Thanks in advance to everyone helping us!

      • #194995 Reply

        PKCano
        AskWoody MVP

        Routers have two parts – wired and wireless. The wired side transmits the signal between computer and router  through a wire. The wireless side uses a transmitter to send the signal between computer and router (much like a two-way radio). But both wired and wireless use the same parts of the router (hardware and software) to communicate with the Internet. So, as far as the Internet is concerned, there is no difference in the signal between the router and the ISP.

        So to answer your question, it doesn’t matter if you are using wired or wireless connections from the computer, it’s the router and/or its software that is vulnerable.

        8 users thanked author for this post.
      • #195598 Reply

        anonymous

        @peacelady

        @bob99 here, posting anonymously. As @pkcano says above, you are indeed still vulnerable to the VPNFilter bug. Great job with changing the passwords and rebooting your router/gateway! However, for better security of your router and network, there are two other settings I encourage you to apply.

        Having looked at the user’s manual for your router/gateway, I believe it would be a good idea to make sure that a feature called “Remote Administration” is disabled and that a feature that is called “Universal Plug and Play” is also disabled.

        The user’s manual strongly discourages you from enabling the Remote Administration feature, because it enables you to be able to get to your router/gateway’s interface from anywhere on the Internet. Definitely NOT a good thing these days.

        To disable BOTH of these features, Remote Administration and Universal Plug and Play, go to the “Advanced” tab on the top of your router/gateway’s interface (should be the one right next to “Parental Controls”). Once there, you’ll see Remote Administration under the “Utilities” list and Universal Plug and Play under the “Network Settings” list.

        To make sure that Remote Administration is disabled, make sure the top two check boxes that say “…Primary HTTPS…” and “…Secondary HTTPS…” are clear, NO check marks in them on the Remote Administration page. If the “Diagnostic Tools” boxes are checked, please leave them that way, as that can help Verizon’s support techs help troubleshoot a lack of connectivity if you need their help during a tech support call that YOU have originated by calling them. IF you had to make any changes to this page by clearing check boxes, then click the “Apply” button under the settings. If no changes are needed, proceed to the next paragraph below this one.

        To disable Universal Plug and Play (UPnP), simply make sure the check boxes on the UPnP page are clear and then click the “Apply” button below them. HOWEVER, if you do have any devices on your network that depend on the UPnP service, then they won’t work quite properly, so it would then be best to leave this service running.

        From what I recall, malware has used the UPnP service to easily run between devices on a network and infect them, so that’s why this service has been recommended to be disabled if at all possible. Any and all MVP’s please feel free to correct this statement if it’s somewhat incorrect!

        The above paragraphs are based on a copy of the FIOS Quantum Gateway’s manual dated 2017, so the location of some items may be different if Verizon has upgraded/updated the firmware since the manual’s publication or if you’ve had yours since before 2017.

        1 user thanked author for this post.
    • #195001 Reply

      Bill C.
      AskWoody Lounger

      Hey gang,

      I learned of this last week. I tried to read over all the posts but if you all don’t mind I’ll throw my 2 cents in. The situation is the command and control center of the malware is now under control of the FBI. A reboot of your router will disable some malicious aspects of the malware. The reboot will still contact the command and control center, but it is now under control of the FBI so the problem is somewhat mitigated by a simple reboot. I do not recommend doing a factory reset of the device unless you are confident you can get your internet connection working again on your own. A lot of home routers make it fairly easy to configure and if you have a manual for the device you can try resetting the unit if you like. It is very important to routinely update the firmware (software) of your router. If you have not updated your device within the past few months or more you’re device may be compromised. Not necessarily from this exploit, but many others that are out there. Also be sure you have changed the default password to log into your router. Many have the username of admin which cannot be changed, but if you have not changed the password from whatever it originally came with, you need to change and make your own password.

      Regarding rebooting your router. Some of you may be using Uverse or other AT&T internet and may have one device which handles your internet and wireless connections. I have cable internet with a router provided by my isp and I have a Netgear r7000 for my wireless connection. The r7000 is one of the targeted models. In my situation I need to reboot my Netgear wireless router. I did so and updated the firmware even though there is not an official fix yet.

      For those of you with one device for internet, simply unplug it, wait 15 seconds or so and plug it back in. In this situation it will affect your tv as well. Give it 5 minutes and everything should come back up. If you don’t have internet, restart your computers.

      For those like me you will have 2 devices. The cable “modem” as they still call it and a wireless router is connected to the “modem” for wireless connectivity. The cable modem is managed by my isp. Most wireless routers will have one or more antennae on it. In my situation the cable “modem” is a Cisco so I am not too concerned about that. But here’s what you would normally do. Unplug both devices for 15 seconds. Then first plug the cable “modem” back in. Give it a minute or more to boot. Then plug the wireless router back in and give it some time to fully boot. Things should be back up in 5 minutes or so.

      If you ever lose your internet connection this will also be the first thing your ISP will tell you to do so keep this in mind. This will sometimes fix an outage unless it is an area wide outage.

      IF you are rebooting a cable modem or combined router/modem, make sure you remove the backup battery before you unplug it. Otherwise, it will run on the backup battery and not actually shut down and reboot. Usually the backup battery is accessed through a small door on the side of the device. The battery may have a pull tab to remove it and some will even have a latch and pull tab.

      6 users thanked author for this post.
      • #195007 Reply

        Mr. Natural
        AskWoody Lounger

        Good point BillC. I forgot about the possibility of having a UPS on the router(s).

        I actually had a strange thing happen when I updated my wireless router so I’m wondering if it was compromised. When I normally update my Netgear r7000 the unit will download, install and reboot on its own. When I ran the recent firmware update the unit began installing the update and then the graphics on screen went blank and I couldn’t tell what was happening. Since the router should reboot on its own anyway I waited 5 minutes to see if it rebooted. It did not reboot so I had to unplug and restart the router. Fortunately it did come back up but the odd thing was the firmware version being reported.

        Normally my Netgear firmware will state that its version x.xx.xxx (such as 123.45. 7890). When the firewall came back up it was at version x.xxx and no additional numbers after that. So I reran firmware update and it then installed and rebooted properly with the current firmware.

         

        1 user thanked author for this post.
        • #195019 Reply

          Bill C.
          AskWoody Lounger

          You were far more fortunate than I when I had a Netgear router with a hardware firewall.  First software update went fine.  The second bricked the router.  Netgear replaced it immediately at no cost.  Next software update went fine.  The second update on the new router again bricked the router.

          Since it was an older model and I wanted to get a wireless capable router, I bought a new Linksys.  The Netgear was exceptional on blocking port scans.

          • #195044 Reply

            Mr. Natural
            AskWoody Lounger

            Nothing wrong with Linksys and I do believe they are now owned by Cisco, so even better.

    • #195004 Reply

      NightOwl
      AskWoody MVP

      @ Peacelady

      I have a FIOS Quantum Gateway which has the setting  “Wireless turned off”

      As PKCano has said, the risk is there with either wired or wireless.

      Going to stick my head out here, but I think the setting you want to disable is the *Allow Remote Access*. That means you have set up the router to listen to the internet, and if the correct wakeup code is sent to the router, then it will open its GUI and wait the the correct username and password, and then if those are given, then whoever has entered those credentials now has total control of the router.

      I think some routers have settings for wired vs wireless remote access to the router’s setup GUI. I have my router set up so it will only allow access via a wired connection from a local computer hooked up to one of the four output ports on the router that a computer hooks up to.

      If you installed your router and never changed the default user id, and default password–then anyone who has been able to access the router, can also enter those default user and password without having to *hack* or *crack* the router’s user id and password.

      NightOwl

      No question is stupid ... but, possibly the answers are 😉 !

      5 users thanked author for this post.
    • #195002 Reply

      anonymous

      ? says:

      thanks Noel, taking as much charge of the process as possible is how i learn about how it works. i reboot this router quite often usually when google and facebook narrow down my location to an uncomfortably close zip code (in spite of having the browser location settings disabled)…

      would not monitoring in/out network traffic give an indication of being compromised, or are the questionable addresses spoofed/invisible?

      i have had the same ISP for years and am using their third supported router which finally allowed me to pass Steve Gibson’s GRC because this model allows me to “stealth,” the ipv4 and as a bonus it removed the ISP’s open “maintenance” port. i once called their engineering dept. and was told to not worry about the open port.

      people who use firefox have the option of using the “about:networking” feature to check traffic which for fun i compare with what netstat is showing

      1 user thanked author for this post.
      • #195278 Reply

        Noel Carboni
        AskWoody MVP

        To some extent your location can be determined from your IP address.

        Visit this site, for example, and see whether it puts the pin on you:

        http://www.ipfingerprints.com/geolocation.php

        Note: I have a lot of things blocked from my browser so I don’t know whether the site I mentioned might try to deliver ads or whatnot. For me it delivers just the content. Virustotal lists it as Clean.

        Note that it places the https://www.askwoody.com server in Virginia in this example:

        ScreenGrab_NoelC4_2018_05_30_211049

        There’s really nothing you can do about IP addresses being resolved into locales, and sites doing it certainly haven’t necessarily infected you with anything.

        -Noel

        Attachments:
        You must be logged in to view attached files.
        • #195285 Reply

          Cascadian
          AskWoody Lounger

          Interesting locale, cozy confines, friendly neighbors.

    • #195018 Reply

      Peacelady
      AskWoody Lounger

      Hi PKCano & NightOwl – Thank you both so much for your speedy and reliable responses!  Regarding my questions about wifi and ethernet — you can’t blame a gal for trying but I’m now done trying to wiggle out of being a possible member of the VPN Filter club. 🙂   NightOwl — I have changed all passwords (logon, Verizon, SSID’s) and also went over my settings and confirmed that I did not allow remote access or remote administration and every bad thing I could opt out of that I could understand from the articles I’ve accumulated and the advice given here.

      It is my personality to be very uptight about computer security and these problems do not add to my peace of mind.  I don’t know what is better — to be totally oblivious to all the threats or to be hyper vigilant like me and worry all the time who is going to do what to me and/or my data.  I think I could try to calm down if the hackers would just STOP!  Since that doesn’t seem possible, I am indebted and grateful to everyone here who has helped me to do what I can. 🙏❤😊

      • This reply was modified 2 weeks, 5 days ago by  Peacelady.
      • This reply was modified 2 weeks, 5 days ago by  Peacelady.
    • #195022 Reply

      OscarCP
      AskWoody Lounger

      Sorry about asking such a naive, probably also silly question, but in hopes of getting more than a rebuke or a deservedly silly answer, here it goes:

      If the 500,000 (nice round number evil hackers!) routers connecting personal computers, servers, whatever, to the Internet that have been infected are all in the Ukraine and are all about disrupting the country on the day of a showcase European cup (or something) Association football match (e.g. as per C. Cimpanu, follow the link to the Web page with his comments on this subject, posted further up in this thread by Kristy), and I am in the US of A, why do I have to worry about any of this? Is the FBI saying that they have found computers hacked in this country? Or is this, perhaps, something contagious that by corresponding via email, Skype, etc. with someone from the Ukraine or surfing Ukrainian Web sites people here are likely to catch and then spread around?

      Did I tell you already that this was probably going to be a silly question? Please, ignore me.

      2 users thanked author for this post.
      • #195025 Reply

        Mr. Natural
        AskWoody Lounger

        As stated there are no silly questions and no one should be afraid to ask a tech related question here.

        OscarCP – regardless of this particular situation there are still a number of other router hacks that have been around for quite some time. Just this past April there was another Russian hack reported which most manufacturers should now have a firmware release to fix that. I know Netgear does. And other exploits have been reported long before that.

        • This reply was modified 2 weeks, 5 days ago by  Mr. Natural. Reason: spelling
        2 users thanked author for this post.
      • #195028 Reply

        moonbear
        AskWoody Lounger

        That’s not a silly question at all. As of right now there is no way to tell when or how the initial infection takes place. The 500,000 infections (I agree that is a very nice round number) are spread over 54 countries, not just the Ukraine. Which is why the advice to at least reboot your router was given. The country with the highest level of infections is the Ukraine.

        2 users thanked author for this post.
        • #195032 Reply

          OscarCP
          AskWoody Lounger

          Thanks for the kind and understanding answers.

          So, here is my next silly question: because an attack might have happened here (although we don’t know that yet), do I reboot now, once, or should I keep doing that every day from now on, indefinitely, in case some day there are attacks like those also here?

          By the way: I am sorry for the Ukrainians, having their showcase match spoiled and their internet connections messed up. And I also appreciate a number of those posting in this thread for all their explaining of how to practice good router hygiene. That effort is not going to be wasted on those paying attention.

           

          • #195039 Reply

            Mr. Natural
            AskWoody Lounger

            One reboot and that’s all you need for now. We should be hearing about new router firmware coming out soon which will completely resolve the issue.

            2 users thanked author for this post.
    • #195033 Reply

      anonymous

      While everybody talks about securing remote access to routers, it’s even more important to do so for local access as well. In general, it’s a good idea to firewall outgoing traffic to the router’s IP address and just whitelist TCP ports required to access the router’s UI. Doing so prevents software running on local machines (not just software shipped by Microsoft…) to collect data from routers that may include sensitive details.

    • #195046 Reply

      NightOwl
      AskWoody MVP

      @ Peacelady

      I don’t know what is better — to be totally oblivious to all the threats or to be hyper vigilant like me and worry all the time who is going to do what to me and/or my data.

      I think being vigilant–to the best of our abilities–is the best thing, but once you have done what you can–*be happy, don’t worry*! Just try to keep on top of things–as you well know, things keep changing (smile)!

      NightOwl

      No question is stupid ... but, possibly the answers are 😉 !

      1 user thanked author for this post.
    • #195057 Reply

      moonbear
      AskWoody Lounger

      Has there been any coverage of VPNFilter on any non-tech news sites or on cable news? Considering this appears to be a more destructive threat than meltdown/spectre, how has there not been at least as much coverage as those 2 exploits received in the first week after they were disclosed? The reason I ask this is that as time has gone on, I’ve noticed that it seems like only sites like The Register and Ars Technica have even ran stories about VPNFilter. Have I just overlooked stories in other places or have there really not been that many? I’m just trying to find all the info I can in case I have to try and explain it to anyone even less tech savvy than myself.

      • This reply was modified 2 weeks, 5 days ago by  moonbear.
      2 users thanked author for this post.
      • #195070 Reply

        DrBonzo
        AskWoody Lounger

        I’m not a newshound, but I know a few people who are, and the coverage on non-tech sites/sources appears to be minimal. I saw an article on cnbc.com a few days ago and that’s it.

        If the FBI really wants everyone to reboot their routers, they’re not doing a good job getting the word out.

        This whole thing just seems quite strange to me in a very nebulous sort of way.

        3 users thanked author for this post.
        • #195076 Reply

          moonbear
          AskWoody Lounger

          Thanks @drbonzo I saw that article. As time goes on its beginning to seem like this whole mess is definitely not what we’re being told it is. I wrote in an earlier post that I didn’t think anything dark or nefarious is happening and to be perfectly honest, I’m not sure I believe that anymore.

    • #195090 Reply

      Kirsty
      AskWoody MVP

      From this week’s Security Now podcast notes:

      OUR TAKEWAY:
      If you own one of the affected devices: Rebooting it is insufficient. Restoring to factory defaults
      could be done, but reflashing the firmware — take this opportunity to get the latest — would be
      best. And while you’re there, be sure to disable all WAN-side management, disable UPnP if you
      can, and setup a seriously strong username and password.

      Steve Gibson discusses the 3 stages of the vulnerability, and may be of interest – you can read the notes here.

      4 users thanked author for this post.
    • #195100 Reply

      Peacelady
      AskWoody Lounger

      I just saw that Brian Krebs has finally addressed this. Here is the link:
      https://krebsonsecurity.com/2018/05/fbi-kindly-reboot-your-router-now-please/

      1 user thanked author for this post.
      • #195103 Reply

        jelson
        AskWoody Lounger

        +1 for the Brian Krebs article.

    • #195209 Reply

      AlexEiffel
      AskWoody MVP

      Ok, so from my understanding of this situation, nothing can make you certain that even if you reflash and hard reset the router, you won’t get infected again by something different that the group will produce using the same vulnerability if they indeed used a vulnerability to get in in the first place. I also wonder how companies will fix this vulnerability if they don’t know how the router got compromised in the first place…

      The routers listed include some Linksys products but not other very similar Linksys products, which indicates to me that the hackers probably used a vulnerability and not only some default configuration issue that would be common to all those routers.

      So, that would mean that no matter what you do, until they find and fix this vulnerability with a firmware update if the company still produce firmware updates for your router, you are not in such a great position.

      What are the options, then for the legitimately paranoid, like @peacelady?

      First, follow Kristy’s excellent advice by going to the web site of Michael Horowitz. It doesn’t take that long to get your router-IQ level higher and it is a good long term investment to better put things in perspective the next time an issue arise and to help you reduce your risk in general.

      Yes, understanding the sorry state of home routers and the focus on dust gathering ability and often insignificant speed metrics instead of long term support and security in reviews is depressing, to say the least. We had a discussion here about it a while ago.

      The alternative is to get a cheap commercial router like the one Horowitz suggest and get more serious about security. Or you rely on a bit of luck and the fact that routers are still not exploited to the best potential they offer while doing 3 things :

      1) learn how to configure your router to be secure using Horowitz’s site.

      2) learn how to reset your router, update its firmware and reconfigure it, knowing that some router companies still produce routers where updating the firmware will cause it to loose its configuration.

      3) try to buy routers from companies that support their product with security updates and that respond to security issues that get brought to their attention in a better manner. Hint: some are more terrible and really don’t care about your security than others. Avoid products that use marketing gimmicks like cloud something and features that actually probably make your router less secure.When it come to security, simplicity is best.

      The good thing about routers is you can most of the time hardware resets them using the special button for it so if you selected a setting that blocked your access by mistake, you can not panic, resets everything and reenter all your config again.

      Once armed with the confidence that you can take control over this not as difficult to configure better than it looks device, you can at least keep its firmware up to date when vulnerabilities are discovered by having a monthly reminder to check for firmware updates on the company’s website without fear that your life will end if the configuration is lost. That is a good way to reduce your risk while still using a home router.

      If I would make a simple checklist of things to do, from memory:

      Don’t disable SSID broadcasting, it is counter intuitive but it makes you less secure to hide it.

      For wireless security version, use WPA2 PSK with AES only, no WEP, no WPA, and nothing with WPA + TKIP (bad trick to support very old devices that makes WPA not secure).

      Choose a long passphrase. It doesn’t need to be hard to remember, just very long but not so long that some devices can’t use it. Cracking a very long password has been shown to be much much more difficult that cracking a short complex password. They key is can a computer generate this pass phrase easily using some set of rules or will it have to use brute force and then render the task impossible in a reasonable amount of time when the password is so long.

      Disable WPS and other tricks to “make your life easier” connecting your devices together.

      Use a guest network to put insecure devices away from your more secure devices. On some routers, I use AP Isolation to prevent devices from seeing each other. This is great from a security standpoint, but it can render your wireless printer not accessible to anything except the only device that has a USB cable connected to the printer, so think about it before activating it. Using AP Isolation on some networks like the guest network and not on the more secure network might be an option.

      You can sometimes assign working hours for guest network or regular network. This can be nice.

      Disabling uPnP is a good important thing to do if you understand the consequences and don’t mind them.

      Filtering out some devices to prevent them from accessing the web while still being accessible from inside might be useful to contain a bit some IoT devices that you would want to keep local only. Why should your printer connect to the Internet exactly?

      Important: it might be a good idea to restrict management of the router to the non wireless interface so you can only access it using the plugged computer. You should restrict management access to https only and from inside only (why would you need that much to configure your router from outside anyway unless you have very specific needs?). I also change the management port from 80 or 8080 to something else to reduce the risk of some automated attacks that would use a vulnerability, but if you do that, you need to not forget to access the router using the port after its address, like https://192.168.1.1:6523 for port 6523.

      If you don’t use the clock in the router, it might be good practice to not enable the ntp client to set the clock and that could be abused if a vulnerability was discovered in it. Since ntp uses udp packets, it adds a layer of vulnerability not found in tcp packets that is not necessarily handled properly by home routers.

      Good practice : try to mask the IP of your cable modem using Horowitz’s suggestion so an automated attack hidden in malware that would have compromised your teenager’s gaming rig can’t access it easily from the inside and mess with it.

      8 users thanked author for this post.
      • #195259 Reply

        Cascadian
        AskWoody Lounger

        I’d like to nominate @alexeiffel ‘s #post-195209 as a companion piece regarding router security in the AskWoody KnowledgeBase 4million series.

        4 users thanked author for this post.
        • #195286 Reply

          AlexEiffel
          AskWoody MVP

          Thanks but if I had known you would like it so much I would have written it better. I think Horowitz web site is a better resource and the tips I brought just an essential list of questions you should consider if security is a bit important to you. But then, putting my ch100’s hat for routers instead of Windows, if it is really important, you should definitely not consider the home version of a router as sometimes security can not even qualify as an afterthought in this market.

          2 users thanked author for this post.
          • #195290 Reply

            ch100
            AskWoody MVP

            😁
            Great idea to use at least the equivalent of a Pro version.
            The equivalent of an Enterprise edition tends to be overly complicated for networking devices.

          • #195294 Reply

            Cascadian
            AskWoody Lounger

            You are modest. But my real intention is to have a reference piece that is easy to point to within the AskWoody domain. I recognize the base you used to comment from, but much of the advice is not dependent on that source alone. It is general good advice, gathered into one readable comment, appropriate and useful to many of the user population that turns to AW for guidance.

            Not quite clear on the additional classifications added in later comments. Caveat emptor has always been a good guide to get sufficient quality at the pricepoint available. Research always pays dividends. Seeking a McLaren when a Cooper would do makes little sense. Buying from the junkyard always has its drawbacks. Maybe I have missed the humor.

            1 user thanked author for this post.
            • #195370 Reply

              AlexEiffel
              AskWoody MVP

              I guess ch100 refers to using a commercial router that is supported for a long time and from a company that actually monitors security issues and issues patches, maybe like the Peplink brand Horowitz is talking about, as a Pro version vs some much much more complicated product like a Cisco ASA that comes with a not so useful 3000+ pages manual as an Enterprise version. I think he makes a good point, as myself I experienced the crazy long learning curve of properly configuring these devices without unintentionally adding security issues for more complicated network architecture while not being an expert in it.

    • #195310 Reply

      Kirsty
      AskWoody MVP

      Reboot Your Router to remove VPNFilter? Why It’s Not Enough
      By Lawrence Abrams | May 29, 2018
      Updated May 30, 2018

       
      After it was reported that the VPNFilter botnet consisting of over 500,000 routers and NAS devices was taken over by the US government, the FBI issued an advisory stating that users should reboot their routers in order to disrupt the malware.

      Unfortunately, as shown by the five phone calls I received today, many people heard the reboot part, but did not read the rest of the recommendations of turning off remote administration, changing passwords, and upgrading to the latest firmware. One step that was not mentioned is the fact that the only way to truly remove VPNFilter is to reset the router to factory defaults.

      Due to this, people are just resetting their routers, but leaving part of the malware still present after it is rebooted. With that said, I have put together a guide on VPNFilter, what the FBI advisory is about, and the steps you should perform to clean and secure your router.

      Should you reset your router even if its not one of the listed ones?

      This is a tough one. On one hand, its always better to be safe than sorry. On the other, for some it can be very difficult to configure a router from scratch.

      With that said, I do suggest that you follow these steps as its only a good thing to have your router running the latest firmware and the other steps only further protect your device.

       
      Read the full article here

      7 users thanked author for this post.
    • #195607 Reply

      Microfix
      AskWoody MVP

      Looks like VPNFilter botnet is not dead yet according to Catalin Cimpanu at Bleeping Computer..

      The VPNFilter botnet that was built by Russian cyberspies, which infected over 500,000 routers, and was taken down last week by the FBI is attempting a comeback, according to telemetry data gathered this week.

      more info at: https://www.bleepingcomputer.com/news/security/the-vpnfilter-botnet-is-attempting-a-comeback/

      | 2x Group A W8.1 | Group A+ Linux Hybrid | Group A W7 | Group W XP Pro |
        No problem can be solved from the same level of consciousness that created IT - AE
      1 user thanked author for this post.
    • #195664 Reply

      Mr. Natural
      AskWoody Lounger

      10:00 PM cdt 6/2/2018. New router update from Netgear. I think you all know better than to ask me to verify what version this is on a Saturday night.

      Party on Wayne, Party on Garth.

       

      Attachments:
      You must be logged in to view attached files.
      • #195949 Reply

        Mr. Natural
        AskWoody Lounger

        looks like a hotfix. The documentation says “security fixes” and that’s about it. I’m guessing this update does not fix the issue mentioned here since there is no official announcement.

    • #195783 Reply

      Kirsty
      AskWoody MVP

      Q&A: Should you reboot your router like the FBI says?
      By The Associated Press | May. 30, 2018

       

      Q: Why can’t I completely remove the malware from my router?

      A: For starters, routers are difficult for ordinary users to fiddle with. They have publicly known vulnerabilities that aren’t easy for average users to patch and typically aren’t equipped with anti-virus software packages or intrusion protection systems. That said, if you can update your router’s “firmware” to the latest version — something you can often do via the router’s phone app or web interface — you should. It may not fix the problem, but it won’t hurt and may help.

       
      Read the full article here

    • #196061 Reply

      Kirsty
      AskWoody MVP

      VPNFilter – just the bad stuff
      By Michael Horowitz | June 4, 2018

       
      Like all news stories, the VPNFilter router malware has now faded from the headlines. But the underlying problems are not going away and they are bad. Bigly bad. This is a detailed look at just how bad.

      For starters, this was inevitable. The security of routers is disgraceful. As shown on the Bugs page of my RouterSecurity.org site, routers are buggy as heck. Most, if not all, the bugs listed there are security related. Worse still, router software/firmware is often quickly abandoned, meaning no firmware updates.

       
      Read the full article here

      5 users thanked author for this post.
      • #196141 Reply

        AlexEiffel
        AskWoody MVP

        -‘At the least, we have to assume that any and all Netgear and Linksys routers are vulnerable.’

        I am still appalled how quickly these things are dismissed with no afterthought. People quickly loose interest although they have no confirmation about the problem and if it is fixed or not. Maybe they feel powerless over all this or overwhelmed by the subject itself? It shouldn’t be that way and if it is the case, it is because the companies are acting irresponsibly.

        So, we still don’t know what is going on here. Probably some routers got infected because their users never installed the latest firmware a long time ago that fixed a vulnerability that was exploited later by VPNFilter. Their router is probably still vulnerable. I remember seeing one of the affected model having a firmware update to address a security issue a very long time ago. If this is the vulnerability that has been exploited, it just shows how the laziness of the companies producing those garbage products have made possible such a widespread infection.

        I second Horowitz’s suggestion to put an expiration date on routers. I would add there should be a little warning card in the box saying at least you should keep your router updated, please subscribe to our mailing list for your model so we can send you information when security fixes are issued, then don’t bother people for updates that add features, but just focus on keeping things simple and send patches warning for security issues while trying to minimize their likelihood by not adding useless features. And make patching simple for normal user and have it not reset the configuration of the router. Basic stuff!

        3 users thanked author for this post.
        • #196231 Reply

          anonymous

          Mailing list notifications of security updates work well in an uncorrupted world. Eventually some partner will decide this is a potential revenue stream and hand it over to marketing. Email containing advertising quickly gets ignored, even if it contained a useful notice. Even worse, the list is sold for quick cash. People recognize from name and address combinations who sold their contact information. Immediately losing confidence in the company they suspect sold them out. Both eventualities produce update failures on the user side, caused by business decisions on the vendor side.

          The restraint you request is rarely observed in the wild.

          2 users thanked author for this post.
          • #196382 Reply

            AlexEiffel
            AskWoody MVP

            You might be right. However, I will give Cisco as an example where the mailing list works well. You subscribe to whatever you want with the level of detail you want, severity, etc. It’s been working fine for years and it does only what it says it does.

            I can’t say I was happy about the job they did when they bought Linksys on the consumer side though and the sold back Linksys to Belkin after. Corporate world and consumer world are two different beasts.

            1 user thanked author for this post.
    • #196369 Reply

      Mr. Natural
      AskWoody Lounger

      A brand new post from Cisco Talos with more information and discoveries found with vpnfilter malware.

      https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

      4 users thanked author for this post.
      • #196384 Reply

        AlexEiffel
        AskWoody MVP

        ‘These new discoveries have shown us that the threat from VPNFilter continues to grow. In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware’s capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support. If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.’

        Looks like even if it fell quickly from the flavor of the day topic, it is far from over…

        I looked up firmware updates for one of the cheapest affected device and there was a few firmware updates available for security, latest one dating January 2018. Does any of these cover the vulnerability exploited by VPNFilter? We don’t know. Maybe the group behind VPNFilter have fun looking at firmware updates posted, find the different vulnerabilities for each brand and infect all of those who don’t update their firmware (most) through specific targeted attacks after…

        2 users thanked author for this post.
        • #196418 Reply

          Mr. Natural
          AskWoody Lounger

          I’m sure some home router makers are working on a patch. I have no knowledge of this but one problem may be getting the router updated without the malware bricking the router. This malware has the ability to brick a firewall if it detects removal.

          It’s starting to look like the majority of home routers that do not have state-full packet inspection (SPI) may be affected (are there any home routers that do?) .

          I guess while we’re on the subject I’ll mention another option out there to assist with corporate security called Pi-Hole. Yeah I know, I should shut my….  🙂

          Anyway if you’re not familiar this is a program that runs on Linux and can act as a middle man between DNS and router traffic or can be used exclusively for your DNS need. It has a continually updated list of known advertisers which often are the culprit of malware delivery on web sites and will block access to any of these sites on any device running traffic through it.

          https://pi-hole.net/

          2 users thanked author for this post.
    • #196389 Reply

      Microfix
      AskWoody MVP

      Thanks for the heads-up Mr.Natural

      Just updated my IPTables for stage 2 on our linux PC, need to look at the router next then the other PC’s sigh..

      This is potentially one of the most damaging things to hit everyone who uses the Internet via a router, if you can’t trust your router..

      Still no word on a check for infection at router stage?

      | 2x Group A W8.1 | Group A+ Linux Hybrid | Group A W7 | Group W XP Pro |
        No problem can be solved from the same level of consciousness that created IT - AE
      1 user thanked author for this post.
    • #196409 Reply

      Kirsty
      AskWoody MVP

      VPNFilter malware infecting 500,000 devices is worse than we thought
      Malware tied to Russia can attack connected computers and downgrade HTTPS

      By Dan Goodin | June 7th, 2018

       
      Two weeks ago, officials in the private and public sectors warned that hackers working for the Russian government infected more than 500,000 consumer-grade routers in 54 countries with malware that could be used for a range of nefarious purposes. Now, researchers from Cisco’s Talos security team say additional analysis shows that the malware is more powerful than originally thought and runs on a much broader base of models, many from previously unaffected manufacturers.

      The most notable new capabilities found in VPNFilter, as the malware is known, come in a newly discovered module that performs an active man-in-the-middle attack on incoming Web traffic. Attackers can use this ssler module to inject malicious payloads into traffic as it passes through an infected router. The payloads can be tailored to exploit specific devices connected to the infected network. Pronounced “essler,” the module can also be used to surreptitiously modify content delivered by websites.

       
      Read the full article, which contains an affected model list that includes dozens of new routers, here

      9 users thanked author for this post.
    • #196499 Reply

      Kirsty
      AskWoody MVP

      VPNFilter Can Also Infect ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE Devices
      By Catalin Cimpanu | June 6, 2018

       
      The VPNFilter malware that infected over 500,000 routers and NAS devices across 54 countries during the past few months is much worse than previously thought.

      According to new research technical details published today by the Cisco Talos security team, the malware —which was initially thought to be able to infect devices from Linksys, MikroTik, Netgear, TP-Link, and QNAP— can also infect routers made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.

      The list of devices vulnerable to VPNFilter has seen a sharp jump from Cisco’s original report, going from 16 device models to 71 —and possibly more. The full list is embedded at the bottom of this article.

       
      Read the full article here

      6 users thanked author for this post.
    • #196517 Reply

      HiFlyer
      AskWoody Lounger

      Re:  Kirsty  #196499

      AVM (my Fritz!Box7360 router manufacturer) said they have had no reports of problems with VPNFilter.   I don’t know if they make versions that work outside the EU.

      Their Service/Support Department’s overnight reply to my email query:

      “The FRITZ!Box is safe. We have no indications that any AVM products are affected by the “VPNFilter” malware. We also have an entry regarding this issue on our website at https://en.avm.de/service/current-security-notifications/

      Note:  the link above has a long list of things they say have not affected their products.

      https://en.avm.de/

      https://en.avm.de/fritz-heres-why/

      I have no connections to AVM other than I own their router and  a cordless phone.  I am quite pleased with their support.

      HF

      2 users thanked author for this post.
    • #196529 Reply

      StruldBrug
      AskWoody Lounger

      FWIW Actiontec says their devices aren’t vulnerable. https://actiontecsupport.zendesk.com/hc/en-us/articles/360004237271-VPNFilter-Malware

      3 users thanked author for this post.
    • #197708 Reply

      Mr. Natural
      AskWoody Lounger

      New firmware update for Netgear Nighthawk R7000.

      https://kb.netgear.com/000059134/R7000-Firmware-Version-1-0-9-32

      1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – reboot your routers

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.