Theme

Welcome · log in · join

Forums → Software and Operating Systems →

Security → Re: VPNfilter Malware

uniqs
2

« Mozilla privacy plugin removed after questionable activity • Google risks mega-fine in EU over location stalking »

This is a sub-selection from VPNfilter Malware

Eth_Rem Premium Member join:2009-06-17 Littleton, CO ARRIS TG3482 Asus RT-AC68	Eth_Rem to Pete7874 Premium Member 2018-Jun-11 10:27 pm to Pete7874 Re: VPNfilter Malware Should be the same process - SSH or Telnet in and check /var/run for any traces of vpnfilter files. That’s the only info we really have to trace it right now is those files. I believe I read something about it being added to crontab too but I am not versed in exactly how to find that.
	· actions · 2018-Jun-11 10:27 pm ·
Pete7874 join:2005-07-14 Grand Rapids, MI	Pete7874 Member 2018-Jun-11 11:00 pm Thanks. This is the list of files in my /var/run directory: crond.pid dnsmasq.pid dropbear.pid fastnat httpd.pid klogd.pid miniupnpd.pid samba syslogd.pid udhcpc-wan.pid So, what does this mean?
	· actions · 2018-Jun-11 11:00 pm ·
Eth_Rem Premium Member join:2009-06-17 Littleton, CO	Eth_Rem Premium Member 2018-Jun-11 11:09 pm Unless the malware already has a variant masquerading as something else, it looks like you’re clean.
	· actions · 2018-Jun-11 11:09 pm ·
Pete7874 join:2005-07-14 Grand Rapids, MI 1 edit	Pete7874 Member 2018-Jun-12 11:46 am said by Eth_Rem: Unless the malware already has a variant masquerading as something else, it looks like you’re clean. Thanks. Yeah, the article below says that vpnfilter can delete its files from /var/run directory when it no longer needs them in order to hide its presence, but I presume by that time it would have also deleted a bunch of other stuff that would render your router inoperable? »blog.talosintelligence.c ··· ate.html
	· actions · 2018-Jun-12 11:46 am ·
Eth_Rem Premium Member join:2009-06-17 Littleton, CO ARRIS TG3482 Asus RT-AC68	Eth_Rem Premium Member 2018-Jun-12 12:36 pm Yeah if it deletes itself from /var/run, it trashes the rest of the firmware too. It’s pretty scary to think that this malware manages to obtain root access and the primary infection vector hasn’t been found - or if it has, it hasn’t been publicly disclosed. I mean, ASUSWRT being vulnerable is a pretty serious feat...
	· actions · 2018-Jun-12 12:36 pm ·
Shady Bimmer Premium Member join:2001-12-03	Shady Bimmer Premium Member 2018-Jun-12 2:35 pm said by Eth_Rem: It’s pretty scary to think that this malware manages to obtain root access and the primary infection vector hasn’t been found - or if it has, it hasn’t been publicly disclosed. I mean, ASUSWRT being vulnerable is a pretty serious feat... There does not appear to be any single 'primary vector'. Some use of default user/password has been confirmed but otherwise the actual methods of infection have not been otherwise definitively confirmed. For the most part devices that have been infected have either had the default username and password (apparently a large number in fact) or have outdated firmware that has well-known vulnerabilities. In other words - devices that have not had their firmware updated to the latest, leaving them exposed to those vulnerabilities that are now well-known and that have functional exploits. This detail has been disclosed, even with the first announcement. Most of the devices found infected so far don't really use a segregated privilege model - any access is privileged. In other cases there are exploits that can may bypass privilege separation. If your device is still supported by the vendor, has its firmware up-to-date with the latest available, and you have changed the default username/password you are likely safe. The last reports I had seen indicated that devices that followed these best-practices did not appear to be among those infected.
	· actions · 2018-Jun-12 2:35 pm ·

Forums → Software and Operating Systems → Security	« Mozilla privacy plugin removed after questionable activity • Google risks mega-fine in EU over location stalking »
This is a sub-selection from VPNfilter Malware