VPNFilter is a virulent, sophisticated, multistage worm that has successfully infected 500,000 home routers, leaving them vulnerable to both surveillance (the malware snoops network traffic for passwords) and region-wide internet shutdowns (VPNFilter can brick the routers it infects, and an attacker could shut down most or all of the home/small business internet access in a region by triggering this).
Now the FBI has claimed that it has seized a domain used by the worm to recover from reboots that wipe out key parts of its attack code (the worm writes a small part of itself to a persistent location in infected devices’ storage, and when the device is rebooted, that small core contacts remote services to reboot the rest of its arsenal).
The domain is “ToKnowAll.com” and it worked in concert with a set of doctored images stored on Photobucket. After a reboot, the worm would first check the Photobucket images and read command-and-control information from the images’ metadata, and then it would use downloads from ToKnowAll.com to rebuild the code that was lost during the reboot.
The FBI says it has removed all the implicated image files from Photobucket and has seized and shut down ToKnowAll.com, seriously compromising the worm.
With these reboot-recovery systems shut down, the worm can be killed by a simple reboot of your routers, which you should do right now.
The FBI is using inbound contact attempts at ToKnowAll.com to conduct a census of known infected devices that it will use as part of a cleanup operation.
The FBI’s countermeasures are detailed in a court filing; the same document attributes VPNFilter to “Fancy Bear,” a hacker group thought to be an arm of the Russian government, who were previously implicated in the attack on the DNC’s email during the 2016 election campaign.
According to Ars Technica’s Dan Goodin, the FBI has overstated their victory; Goodin cites Cisco’s report on VPNFilter and says, “the sinkholding doesn’t automatically stop VPNFilter in its tracks. Assuming the attackers captured the IP addresses of devices infected with stage 1, the attackers may still be able to use the listener to regain control of the devices.”
The FBI has been investigating the botnet since at least August, according to court records, when agents in Pittsburgh interviewed a local resident whose home router had been infected with the Russian malware. “She voluntarily relinquished her router to the agents,” wrote FBI agent Michael McKeown, in an affidavit filed in federal court. “In addition, the victim allowed the FBI to utilize a network tap on her home network that allowed the FBI to observe the network traffic leaving the home router.”That allowed the bureau to identify a key weakness in the malware. If a victim reboots an infected router, the malicious plugins all disappear, and only the core malware code survives. That code is programmed to connect over the Internet to a command-and-control infrastructure set up by the hackers. First it checks for particular images hosted on Photobucket.com that held hidden information in the metadata. If it can’t find those images—which have indeed been removed from Photobucket—it turns to an emergency backup control point at the hard-coded web address ToKnowAll[.]com.
On Tuesday, FBI agents in Pittsburg asked federal Magistrate Judge Lisa Pupo Lenihan in Pittsburgh for an order directing the domain registration firm Verisign to hand the ToKnowAll[.]com address over to the FBI, in order to “further the investigation, disrupt the ongoing criminal activity involving the establishment and use of the botnet, and assist in the remediation efforts,” according to court records. Lenihan agreed, and on Wednesday the bureau took control of the domain.
Exclusive: FBI Seizes Control of Russian Botnet [Kevin Poulsen/The Daily Beast]