As we reported Wednesday, researchers discovered a massive botnet spreading malware to 500,000-plus routers, ostensibly conducted by Russian hackers in preparation for an attack on Ukraine. The malware in use, known as VPNFilter is complex and destructive. Now, the FBI has seized control of the domain behind the operation. That’s the good news. The not-so-good news is that infections could still potentially happen.
Explaining how VPNFilter operates, The Daily Beast reports, “Once in place, the malware reports back to a command-and-control infrastructure that can install purpose-built plug-ins, according to the researchers. One plug-in lets the hackers eavesdrop on the victim’s Internet traffic to steal website credentials; another targets a protocol used in industrial control networks, such as those in the electric grid. A third lets the attacker cripple any or all of the infected devices at will.”
The domain seized by the FBI, known as ToKnowAll.com, played a role in pushing out the second stage of malware to routers infected during the first stage. In taking over the domain, the authorities effectively disrupted the command and control of the botnet. As a result, investigators can track the IP addresses of infected devices that attempt to connect to the server to download additional malware or malicious instructions, reports Dan Goodin of Ars Technica. “The seizure of ToKnowAll.com is a major coup because it closes a secondary channel and may also provide previously unavailable information the FBI can use to begin the process of helping ISPs and end users disinfect the devices.”
However, some point out that even with this triumph, there could be lingering issues. “Assuming the attackers captured the IP addresses of devices infected with stage 1, the attackers may still be able to use the listener to regain control of the devices,” notes Goodin.
And, as SC Magazine reports, while users can stop the invasive malware by rebooting their devices, it doesn’t stop there. To ensure complete recovery, they would need to perform factory resets of the devices and install the latest firmware–which many users might neglect doing.