Sergey Nivens - Fotolia

What is VPNFilter malware and how can users protect themselves?

A new threat named VPNFilter was discovered by cybersecurity researchers after home and office routers were compromised. Learn how this malware works with Judith Myerson.

Cybersecurity researchers discovered that foreign threat actors have compromised hundreds of thousands of home and office routers, as well as other networked devices worldwide using malware. How does this malware -- dubbed VPNFilter malware -- work and how can users protect themselves?

Earlier this year, researchers in Cisco Systems Inc.'s Talos security group discovered a new and sophisticated modular malware platform possibly linked to the BlackEnergy malware that first surfaced in 2015, and which was behind the targeted attacks in Ukraine. The VPNFilter malware, which Talos estimates has infected as many as half a million devices, uses its modular functionality to collect intelligence, exploit network-attached storage devices and block arbitrary network traffic.

The first module of the VPNFilter malware is a persistent malware loader, that remains on infected systems even after a reboot, enabling the attacker to reinfect systems and redeploy malicious code on the systems. Talos researchers reported that stage one gives the attacker an entry point to deploy further malware.

The second stage of the malware does not persist after a reboot, but it is capable of doing typical malware functions such as file collection, data exfiltration, command execution and device management.

The malware's third stage can consist of one or more plug-ins from the second stage malware that provide further malware functions. Talos found three different stage three plug-ins: one, a packet sniffer, enables the attacker to collect network traffic. The second provides the ability to communicate on the Tor network anonymously to avoid detection by defenders.

An attacker can use VPNFilter malware to launch a man-in-the-middle attack against endpoints and includes a kill command capability to disable an infected device and cover its own tracks by deleting all the evidence of the malware before the device is rendered unusable.

"Ssler" is the name Talos gave to a third stage three module the researchers discovered. Ssler enables the attacker to add malicious JavaScript into web traffic routed by the infected device. All traffic passing through the HTTP server -- port 80 -- can be intercepted and redirected to the module's local service, which listens to the network traffic directed to port 8888.

The ssler module also converts HTTPS responses to HTTP responses to bypass SSL encryption, and it drops some request and response headers, as the module modifies header request data and sends it to the HTTP server over port 80. When the module received a header response, it strips the response field headers, such as content-security-policy and public-key-pins-report-only, to avoid detection.

Defending against the VPNFilter malware is difficult, but Talos released some tools to help, including using Snort signatures to identify malicious traffic using Snort intrusion detection, blacklisting domains and IP addresses linked to the malware, and reaching out to the affected device vendors.

The U.S. CERT alert for the VPNFilter malware threat suggests small office/home office router users reboot their devices to temporarily disrupt the VPNFilter malware after removing the second and third stage modules of the malware and blocking domains and IP addresses linked to it. This method can help block the second and third stages of the malware from being downloaded again after a reboot.

Other recommendations include upgrading firmware and, if available, turning on automatic firmware upgrades and blocking device management applications, including Telnet, SSH, Winbox and HTTP. When necessary, users should secure their devices with strong passwords and encryption.

Talos reported that the vendors affected by the VPNFilter malware include Linksys, MikroTik, Netgear, TP-Link, Qnap, Asus, D-Link, Huawei, Ubiquiti, Upvel and ZTE. Cisco devices were not affected.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Network security

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing