New York Times Story: F.B.I.’s Urgent Request: Reboot Your Router to Stop Russia-Linked Malware

2 posts / 0 new
Last post
Mon, 05/28/2018 - 7:18am
#1
gw773606
gw773606's picture
New York Times Story: F.B.I.’s Urgent Request: Reboot Your Router to Stop Russia-Linked Malware

Any comments and feedback on this article?

 

https://www.nytimes.com/2018/05/27/technology/router-fbi-reboot-malware....

 

 

Top
Mon, 05/28/2018 - 10:42pm
Permalink
unimorpheus
unimorpheus's picture
.....Reply posted to other

.....Reply posted to other thread regarding this exploit.

Looking at the initial data I don't think DD-WRT would offer any protection from this exploit. It appears to target the router at the Common Firmware Environment (CFE) level and leverage Busybox to write the “stage-one” code to NVRAM. The CFE loads as part of the boot process DD-WRT so all of this happen before DD-WRT is even running. This is also what gives the exploit reboot persistence. Something not mentioned in most articles. The reboot recommendation does not clear the malware from and infected router. The FBI request to reboot all consumer routers appears to be an effort to track the extent of the "phone home" capability present in the stage-one code. I would think removing the malware would require serial TTL telnet session to locate the CRONTAB call to the exploit stored in NVRAM and manually remove said exploit. I have not been able to locate specifically the hardware vulnerability used to gain access to the router at this level but I have some prime suspects that I will link below along with the sources I have found. Also, the article does not mention other smart devices like Netgear smart switches or range extenders which are built on similar hardware/firmware. This could be a much bigger issue for all.

https://blog.talosintelligence.com/2018/05/VPNFilter.html

https://wiki.openwrt.org/toh/netgear/telnet.console

Top