Cyber security researchers at Cisco Talos this week published a report documenting how a new IoT botnet dubbed VPNFilter had infected more than 500,000 devices globally, with most of the compromised devices being consumer internet routers from a range of different vendors. According to the report, some consumer network attached storage (or NAS) devices are known to have been hit as well.
In the face of the malware threat and being a member of the Cyber Threat Alliance (CTA), Sophos issued a warning to its clients and general public through a post published on its corporate blog, Naked Security.
(TOP: VPNFilter graphic from Talos blog).
The post, titled “VPNFilter – is a malware timebomb lurking on your router?”, by Paul Ducklin, a senior technologist at Sophos, recommends that users conduct a router ‘health check’, even in instances where one believes that the device is already up-to-date and not infected.
In the post, Ducklin makes every effort to simplify technical terms, from IoT, to botnet to everything in between as relates to the latest malware threat, VPNFilter.
He explains IoT thus: “IoT is short for internet of things, and refers to all those internet-connected devices in our lives that are small enough, and cheap enough, and everyday enough, that we forget they’re really just tiny computers in much the same way that our laptops and mobile phones are computers.”
“As a result, IoT devices often end up attracting little or no attention to cybersecurity while they’re being designed, when they’re shipped, or after they’re installed. And a botnet refers to a robot network, also known as a zombie network. That’s where crooks implant malware on thousands, or even hundreds of thousands, of computers at the same time, in such a way that they can secretly send programmatic commands to each of them – one by one, or all at the same time.”
Then bots bots and how they work:
“Typically, each bot in the botnet regularly calls home, using some sort of network request, to one or more servers operated by the crooks… On calling home, each zombie computer fetches instructions on what to do next, instructions that often include commands such as “here is a new software module to install and add to your menagerie of dirty tricks.”
Ducklin adds that zombie networks are not only able to mount large-scale simultaneous attacks all across the globe, but can also adapt and update themselves to include malware capabilities that the crooks feel like adding later on.
“In some cases – and this newly-announced VPNFilter malware is one – zombies include a special command to implement what you might call a ‘run, the cops are coming!’ policy, where the malware deliberately kills itself and sometimes the device on which it’s running. Not only does VPNFilter include a kill command, but, according to Cisco, the kill command purposely overwrites the flash memory of the device,” he notes.
In conclusion and for further caution, the post notes that home routers sometimes can’t be used at all after the flash memory is wiped out as the software needed to recover the device is itself stored in the flash memory.
Devices in this state are therefore said to be ‘bricked’, meaning that they are now about as useful as a brick which can be used for nothing much apart from say to keep a door open and prevent it from shutting up.
However, when SophosLabs team examined the VPNFilter malware, it found that the kill command instantly shut down the bot, but didn’t try to wipe the device as the flash-wiping code was present in the compiled malware code, but was never used.