View Single Post
  #11   Report Post  
Posted to
Jeff Liebermann Jeff Liebermann is offline
external usenet poster
Posts: 4,045
Default National Reboot your Router Day

On Wed, 30 May 2018 10:19:09 +1000, Clifford Heath

Also: "Cisco said part of the code used by VPNFilter can still persist
until the affected device is reset to its factory-default settings."

So a reset actually might be required.

You're right. Here's the source of the Cisco recommendation:
See "Stage 1 (Persistent Loader)" section:
VPNFilter's stage 1 malware infects devices running firmware
based on Busybox and Linux, and is compiled for several CPU
architectures. The main purpose of these first-stage binaries
is to locate a server providing a more fully featured second
stage, and to download and maintain persistence for this next
stage on infected devices. It is capable of modifying
non-volatile configuration memory (NVRAM) values and adds
itself to crontab, the Linux job scheduler, to achieve

So, it looks like I might be doing some reset to defaults and firmware
updates on affected routers. The crontab file is probably in the
firmware. Argh.

Incidentally, of the two customers who reset their routers to
defaults, I was able to recover by walking them through the initial
setup to get their device on the internet, and then restoring their
saved settings, which I save for every router I configure. I didn't
charge either customer if they promised to never do that again.
However, if they're on the affected router list, I'll need to visit
them and update the firmware.

Jeff Liebermann
150 Felker St #D
Santa Cruz CA 95060
Skype: JeffLiebermann AE6KS 831-336-2558