Over 500k routers and gateways are estimated to be infected with malware dubbed VPNFilter, first reported in https://blog.talosintelligence.com/2018/05/VPNFilter.html .
It has 3 stages. In stage 1 it adds itself to crontab to remain after a reboot. In stage 2 it adds a plugin architecture. In stage 3 it adds modules which instruct it to do specific things. A factory reset and router restart in protected network was recommended to remove it. Disabling remote administration and changing passwords is recommended to prevent reinfection.
The 3rd stage module modifies IPtables rules, enabling mitm attacks and javascript injection.
“The first action taken by the ssler module is to configure the device’s iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. It starts by using the insmod command to insert three iptables modules into the kernel (ip_tables.ko, iptable_filter.ko, iptable_nat.ko) and then executes the following shell commands:
- iptables -I INPUT -p tcp –dport 8888 -j ACCEPT
- iptables -t nat -I PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 8888
- Example: ./ssler logs src:192.168.201.0/24 dst:10.0.0.0/16
-A PREROUTING -s 192.168.201.0/24 -d 10.0.0.0/16 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 8888
To ensure that these rules do not get removed, ssler deletes them and then adds them back approximately every four minutes.“
More behaviors of the malware are described at https://news.sophos.com/en-us/2018/05/27/vpnfilter-botnet-a-sophoslabs-analysis-part-2/ including photobucket request, fake CA certs claiming Microsoft issued them and ipify lookups.
YARA rules for detection –
https://github.com/Neo23x0/signature-base/blob/master/yara/apt_vpnfilter.yar
https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ua_apt.yml#L33
YARA (yet another recursive acronym) is a format to specify rules match malware based on string patterns, regular expressions and their frequency of occurrence. A guide to writing effective ones is here.
User-Agent rule –
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert http any any -> any any (msg:"VPNFilter malware User-Agent"; content:"Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)"; http_user_agent; sid:2; rev:1;) |
Ipify self-ip address querying service, with json output. http://api.ipify.org/
Secure Machinery 