National Reboot your Router Day

[Jeff Liebermann]

Thanks to media attention, the FBI has provided me with a busy day or
two. According to the press release, we're expected to reboot every
router to flush out the malware the evil Russians have installed:
<https://www.google.com/search?q=FBI+reboot+your+router>
The list of affected routers is rather small:
<https://krebsonsecurity.com/2018/05/fbi-kindly-reboot-your-router-now-please/>
Easy enough. What could possibly go wrong?

Well, some experts, news agencies, and pundits have mixed up "reboot"
with "reset" your router[1]. Instructions are provided for inserting
paper clips and sharp instruments into any available hole in the back
of the router. Few seem to offer assistance in identifying which box
is the router. Doing a reboot will preserve the router settings.
Doing a reset will wipe them clean and precipitate a support call (to
me). So far, I only have 2 router reconfigurations on my schedule for
today, but I'm sure there will be more.

Therefore, I would like to thank everyone involved for generating the
work, and special thanks to Comcast and AT&T for disabling customer
firmware updates and save settings in their gateways and routers.

Update: I just received a phone call asking which box is the router.
This is going to be an interesting day.


[1] The probable culprit is the various Comcast VoIP gateways that
have an optional built in backup battery. In order to reboot these,
it is necessary to unplug the power from the gateway, remove the
battery for about 15 seconds, plug the battery back in, plug the power
back in, and watch the lights come sloooooowly back on.

--
Jeff Liebermann je...@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

[Jerry Peters]

Watched to local news last night, anyone following their instructions
will *reset* his router to the defaults.

See the "Gell-Mann Amnesia Effect" for further details.

[Cursitor Doom]

On Tue, 29 May 2018 20:08:37 +0000, Jerry Peters wrote:


> Jeff Liebermann <je...@cruzio.com> wrote:
>> Thanks to media attention, the FBI has provided me with a busy day or
>> two. According to the press release, we're expected to reboot every
>> router to flush out the malware the evil Russians have installed:

I'm not bothered if the Russians hack my route (as if!) - there's far
worse than them out there.


--
This message may be freely reproduced without limit or charge only via
the Usenet protocol. Reproduction in whole or part through other
protocols, whether for profit or not, is conditional upon a charge of
GBP10.00 per reproduction. Publication in this manner via non-Usenet
protocols constitutes acceptance of this condition.

[Fred Smith]

On 2018-05-29, Cursitor Doom <cu...@notformail.com> wrote:
> On Tue, 29 May 2018 20:08:37 +0000, Jerry Peters wrote:
>
>
>> Jeff Liebermann <je...@cruzio.com> wrote:
>>> Thanks to media attention, the FBI has provided me with a busy day or
>>> two. According to the press release, we're expected to reboot every
>>> router to flush out the malware the evil Russians have installed:
>
> I'm not bothered if the Russians hack my route (as if!) - there's far
> worse than them out there.
>
>

All the weekly attempts to log into my server traceroute back to
China, not Russia. I suppose it could be those fiendishly clever
Russians spoofing, of course.

[Jeff Liebermann]

Yep. That's because the average reporter or announcer doesn't know
the difference between reboot, reset, restart, power cycle, cold boot,
hot boot, etc. Little surprise because the older computahs had a
button labeled "reset" that did a "reboot". However, when the button
moved to modems and routers, it did both a reset (wipe all settings),
and a reboot (restart the OS). I partly solved the problem by
covering the hole with a round label inscribed with "$35" which is
what it will cost them to have me drive over to their office and put
Humpty Dumpty back together again.

Of course, nothing happens without a suitable conspiracy theory. In
this case, I must ask why the FBI insisted that everyone reset their
routers when only a few models are susceptible. Also, ISP's like
AT&T, can easily reboot their customers routers using SNMP. My
initial guess was that the FBI thought it better to be sure than sorry
when dealing with credential sniffing malware. However, the FBI has
never been known for such lofty sentiments. My guess(tm) is that this
may well be the first technical action in recent memory that the FBI
has performed mostly correctly. They may need the good publicity it
brings to compensate for the general impression of gross incompetence
demonstrated by the Apple iPhone unlocking fiasco.

Unfortunately, my prediction of personal economic enrichment may have
been premature. National Reboot Your Router Day has produced only two
paying service calls and a few unprofitable phone calls and emails.
Very disappointing. Still, I predict additional press releases in the
future by the FBI to remind us that we're being successfully protected
from the machinations of the Russians.

>See the "Gell-Mann Amnesia Effect" for further details.

<https://en.wikipedia.org/wiki/Gell-Mann_amnesia_effect>

[Jeff Liebermann]

On Tue, 29 May 2018 22:24:29 +0000 (UTC), Fred Smith
<fred...@thejanitor.corp> wrote:

>On 2018-05-29, Cursitor Doom <cu...@notformail.com> wrote:
>> On Tue, 29 May 2018 20:08:37 +0000, Jerry Peters wrote:
>>
>>
>>> Jeff Liebermann <je...@cruzio.com> wrote:
>>>> Thanks to media attention, the FBI has provided me with a busy day or
>>>> two. According to the press release, we're expected to reboot every
>>>> router to flush out the malware the evil Russians have installed:
>>
>> I'm not bothered if the Russians hack my route (as if!) - there's far
>> worse than them out there.

No need to hack your own route. Just use the "route" command to
direct your packets to whever you want:
<https://www.google.com/search?q=route+command>

>All the weekly attempts to log into my server traceroute back to
>China, not Russia. I suppose it could be those fiendishly clever
>Russians spoofing, of course.

Most automated attacks arrive from hijacked client computers or
botnets. For DDoS attacks, it looks like attacks originating in the
USA are the major culprits, with China in 2nd place:
<http://www.digitalattackmap.com>
More of the same:
<https://threatbutt.com/map/>
<https://map.lookingglasscyber.com>
etc...

[Clifford Heath]

You don't charge enough. It costs 3-4 times that to have a plumber call.

> Of course, nothing happens without a suitable conspiracy theory. In
> this case, I must ask why the FBI insisted that everyone reset their
> routers when only a few models are susceptible. Also, ISP's like
> AT&T, can easily reboot their customers routers using SNMP. My
> initial guess was that the FBI thought it better to be sure than sorry
> when dealing with credential sniffing malware. However, the FBI has
> never been known for such lofty sentiments. My guess(tm) is that this
> may well be the first technical action in recent memory that the FBI
> has performed mostly correctly. They may need the good publicity it
> brings to compensate for the general impression of gross incompetence
> demonstrated by the Apple iPhone unlocking fiasco.

More likely the FBI is helping the NSA install their own sniffers
into every router that gets rebooted, and not just the vulnerable
ones. Of course, that theory presumes competence, so it's probably
wrong.

[Clifford Heath]

On 30/05/18 08:53, Jeff Liebermann wrote:

Also: "Cisco said part of the code used by VPNFilter can still persist
until the affected device is reset to its factory-default settings."

So a reset actually might be required.

[Fox's Mercantile]

On 5/29/18 5:24 PM, Fred Smith wrote:
> All the weekly attempts to log into my server traceroute back to
> China, not Russia. I suppose it could be those fiendishly clever
> Russians spoofing, of course.

Or some 400 lb guy living in his mother's basement. ;-)

--
"I am a river to my people."
Jeff-1.0
WA6FWi
http:foxsmercantile.com

[jurb...@gmail.com]

>"Of course, nothing happens without a suitable conspiracy theory. In
this case, I must ask why the FBI insisted that everyone reset their
routers when only a few models are susceptible."

They insisted ? Fukum, I didn't do it. Hold on, there's a knock at the door...

...

...

Don't worry, I shot them. Now, is this possibly the cause of my having trouble to get to certain sites ? These are mainly sites I have never been to before. Everything I normally use is alright, but anything new seems to time out and that is in more than one browser.

Maybe some DNSes got screwed up or something like that, but the places I frequent have a backup somewhere ? <just a wild guess

[Jeff Liebermann]

On Wed, 30 May 2018 10:19:09 +1000, Clifford Heath
<no....@please.net> wrote:

>Also: "Cisco said part of the code used by VPNFilter can still persist
>until the affected device is reset to its factory-default settings."
>
>So a reset actually might be required.

You're right. Here's the source of the Cisco recommendation:
<https://blog.talosintelligence.com/2018/05/VPNFilter.html>
See "Stage 1 (Persistent Loader)" section:
VPNFilter's stage 1 malware infects devices running firmware
based on Busybox and Linux, and is compiled for several CPU
architectures. The main purpose of these first-stage binaries
is to locate a server providing a more fully featured second
stage, and to download and maintain persistence for this next
stage on infected devices. It is capable of modifying
non-volatile configuration memory (NVRAM) values and adds
itself to crontab, the Linux job scheduler, to achieve
persistence.

So, it looks like I might be doing some reset to defaults and firmware
updates on affected routers. The crontab file is probably in the
firmware. Argh.

Incidentally, of the two customers who reset their routers to
defaults, I was able to recover by walking them through the initial
setup to get their device on the internet, and then restoring their
saved settings, which I save for every router I configure. I didn't
charge either customer if they promised to never do that again.
However, if they're on the affected router list, I'll need to visit
them and update the firmware.

[Jeff Liebermann]

On Sun, 03 Jun 2018 10:03:57 -0700, Jeff Liebermann <je...@cruzio.com>
wrote:

>On Wed, 30 May 2018 10:19:09 +1000, Clifford Heath
><no....@please.net> wrote:
>
>>Also: "Cisco said part of the code used by VPNFilter can still persist
>>until the affected device is reset to its factory-default settings."
>>
>>So a reset actually might be required.
>
>You're right. Here's the source of the Cisco recommendation:
><https://blog.talosintelligence.com/2018/05/VPNFilter.html>

The list of potentially affected routers has been expanded by Cisco:
<https://blog.talosintelligence.com/2018/06/vpnfilter-update.html>