Is DD WRT Susceptible to vpnfilter Malware?

8 posts / 0 new
Last post
ahessler
ahessler's picture
Is DD WRT Susceptible to vpnfilter Malware?

With all the news about the vpnfilter malware I understand that the Netgear router is one of those that has been targeted. 

What I wanted to know was is DD-WRT on the Netgear platform in that category as well and if so, should the router be reset?

unimorpheus
unimorpheus's picture
Looking at the initial data I

Looking at the initial data I don't think DD-WRT would offer any protection from this exploit. It appears to target the router at the Common Firmware Environment (CFE) level and leverage Busybox to write the “stage-one” code to NVRAM. The CFE loads as part of the boot process DD-WRT so all of this happen before DD-WRT is even running. This is also what gives the exploit reboot persistence. Something not mentioned in most articles. The reboot recommendation does not clear the malware from and infected router. The FBI request to reboot all consumer routers appears to be an effort to track the extent of the "phone home" capability present in the stage-one code. I would think removing the malware would require serial TTL telnet session to locate the CRONTAB call to the exploit stored in NVRAM and manually remove said exploit. I have not been able to locate specifically the hardware vulnerability used to gain access to the router at this level but I have some prime suspects that I will link below along with the sources I have found. Also, the article does not mention other smart devices like Netgear smart switches or range extenders which are built on similar hardware/firmware. This could be a much bigger issue for all.

https://blog.talosintelligence.com/2018/05/VPNFilter.html

https://wiki.openwrt.org/toh/netgear/telnet.console

ahessler
ahessler's picture
Thank you for this

Thank you for this information.  I had seen on the Netgear site that they have firmware updates to address the VPNFilter exploit.  I went out on a limb and upgraded my R7000 with their newest firmware and then upgraded back to DD-WRT v3.0-r35030M kongac (02/19/18).  I have absolutely no idea if this would solve the problem or not but I thought that it might be at least a try.

likus
likus's picture
Good point; if indeed that

Good point; if indeed that should be a sufficient way to get rid of a potential risk on my R7000, I would also consider doing that.

According to unimorpheus' post ; to be able to clean our router, the Netgear-firmware should write over that deeper level as well.

And after that, a flash of the DD-WRT Kong firmware and loading of the backup-config should restore the situation, because DD-WRT loads on top of that infected level...

DocDragon
DocDragon's picture
@ahessler makes a good point

@ahessler makes a good point about flashing Netgear's new firmware before flashing back to DD-WRT/Tomato, but is there a script or any other way to test the VPNFilter vulnerability to confirm the success (or failure) of Netgear's new firmware? BTW, I'm running Tomato v140 as well.

rarroyo
rarroyo's picture
I have restarted my router

I have restarted my router and have disabled Cron, allowed remote access only from my private IP, changed the admin Username and Password, added 8.8.8.8 as the DNS server, and disabled Telnet.  Even if infected with Stage 1,  without Cron, Stage 2 shouldn't never take hold.

joe 9804
joe 9804's picture
I had the same question in my

I had the same question in my mind. So I visited 

<a
href="https://netgears.support/netgear-router-support-usa/">netgear
router support usa</a>. They give me the proper answer. So guys also visit them and they will give you a proper solution for your queries

 

DocDragon
DocDragon's picture
I found this article on Tom's

I found this article on Tom's Hardware Guide which allows you to test your router. I haven't done the test yet, but I guess it's a start:

 

https://www.tomsguide.com/us/vpnfilter-router-malware-check,news-27545.html