Dr Symantec offers quick and painless check for VPNFilter menace on routers

Clean-up efforts to respond to the VPNFilter malware have accelerated with the release of a free check-up tool.

Even though the utility from Symantec only looks to see if traffic has been manipulated, rather than confirming an infection, third-party experts have nonetheless welcomed its release.

VPNFilter, discovered by security researchers at Cisco Talos back in May, is estimated to have hijacked half a million IoT devices such as routers and network-attached storage (NAS) devices. The malware is capable of infecting enterprise and home routers, accessing encrypted web traffic and establishing a backdoor on compromised devices. The full list of impacted routers is available via Symantec here.

VPNFilter installs a plugin which monitors and modifies web traffic sent through the infected router, allowing cybercriminals to inject malicious content, render routers inoperable or steal passwords and other sensitive user information. The botnet also presents a clear and present danger to internet hygiene more generally since it might easily be turned into a powerful DDoS tool.

Mirai – another IoT botnet – was infamously abused to take out DNS service Dyn in an attack that left many high-profile websites unreachable back in October 2016.

Symantec has developed VPNFilter Check, a free online tool to help individuals and organisations quickly determine if their router might have been compromised by the VPNFilter malware.

More precisely, VPNFilter Check ascertains if traffic into either a home or corporate network is being altered by an infected router.

“This malware is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot,” said Stephen Trilling, senior vice president and general manager, security analytics and research, Symantec. “Symantec’s online VPNFilter Check tool provides individuals and organizations with an easy way to determine if their routers have been compromised by this threat, and suggests steps they can take if infected.”

Antivirus industry veteran Vesselin Bontchev told El Reg that the tool detects if VPNFilter is messing with a connection without providing confirmation whether or not an IoT device is infected.

“It won’t detect VPNFilter in the router in general, it will only detect if something is messing with the HTTPS connection,” Bontchev explained.

“One component of VPNFilter (which is not always present) can do that. If it is there and if it is active, the degrading of HTTPS to HTTP that it performs will be detected.” ®

Sponsored: Minds Mastering Machines – Call for papers now open