Two weeks ago, officials in the private and public sectors warned that hackers working for the Russian government infected more than 500,000 consumer-grade routers in 54 countries with malware that could be used for a range of nefarious purposes. Now, researchers from Cisco’s Talos security team say additional analysis shows that the malware is more powerful than originally thought and runs on a much broader base of models, many from previously unaffected manufacturers.
The most notable new capabilities found in VPNFilter, as the malware is known, come in a newly discovered module that performs an active man-in-the-middle attack on incoming Web traffic. Attackers can use this ssler module to inject malicious payloads into traffic as it passes through an infected router. The payloads can be tailored to exploit specific devices connected to the infected network. Pronounced “essler,” the module can also be used to surreptitiously modify content delivered by websites.
Posted: Tue Apr 07, 2015 17:32 Post subject: Huawei Echolife hg8245h: Hi good people of dd-wrt. I wanted to know if i could turn my modem, Huawei Echolife hg8245h, into a wifi extender using dd-wrt software. DD-WRT, in case you missed it, is an open source router firmware alternative, replacing the factory firmware that your router came with an adding a whole host of features. Jun 26, 2018 About. DD-WRT is a Linux based alternative OpenSource firmware suitable for a great variety of WLAN routers and embedded systems. The main emphasis lies on providing the easiest possible handling while at the same time supporting a great number of functionalities within the framework of the respective hardware platform used. In order to setup L2TP connection on your Huawei Router, follow our step by step guide detailed below: Login to your Router Administrator Console. Connect to the internet and launch the web browser on your computer. You need to know your router’s local IP address to access the administrator login page. A Huawei HG8245 router includes a basic firewall program to help protect your home network from the Internet. The Firewall is designed to block incoming connections from the Internet. There may be a time when you need a connection opened.
Besides covertly manipulating traffic delivered to endpoints inside an infected network, ssler is also designed to steal sensitive data passed between connected end-points and the outside Internet. It actively inspects Web URLs for signs they transmit passwords and other sensitive data so they can be copied and sent to servers that attackers continue to control even now, two weeks after the botnet was publicly disclosed.
To bypass TLS encryption that’s designed to prevent such attacks, ssler actively tries to downgrade HTTPS connections to plaintext HTTP traffic. It then changes request headers to signal that the end point isn’t capable of using encrypted connections. Ssler makes special accommodations for traffic to Google, Facebook, Twitter, and Youtube, presumably because these sites provide additional security features. Google, for example, has for years automatically redirected HTTP traffic to HTTPS servers. The newly discovered module also strips away data compression provided by the gzip application because plaintext traffic is easier to modify.
All your network traffic belongs to us
The new analysis, which Cisco is expected to detail in a report to be published Wednesday morning, shows that VPNFilter poses a more potent threat and targets more devices than was reported two weeks ago. Previously, Cisco believed the primary goal of VPNFilter was to use home and small-office routers, switches, and network-attached storage devices as a platform for launching obfuscated attacks on primary targets. The discovery of ssler suggests router owners themselves are a key target of VPNFilter.
“Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Craig Williams, a senior technology leader and global outreach manager at Talos, told Ars. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”
While HTTP Strict Transport Security and similar measures designed to prevent unencrypted Web connections may help prevent the HTTP downgrade from succeeding, Williams said those offerings aren’t widely available in Ukraine, where a large number of the VPN-infected devices are located. What’s more, many sites in the US and Western Europe continue to provide HTTP as a fallback for older devices that don’t fully support HTTPS.
(Much) bigger attack surface
Talos said VPNFilter also targets a much larger number of devices than previously thought, including those made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The malware also works on new models from manufacturers previously known to be targeted, including Linksys, MikroTik, Netgear, and TP-Link. Williams estimated that the additional models put 200,000 additional routers worldwide at risk of being infected. The full list of targeted devices is:
Asus Devices:
RT-AC66U (new) RT-N10 (new) RT-N10E (new) RT-N10U (new) RT-N56U (new) RT-N66U (new)
D-Link Devices:
DES-1210-08P (new) DIR-300 (new) DIR-300A (new) DSR-250N (new) DSR-500N (new) DSR-1000 (new) DSR-1000N (new)
Huawei Devices:
HG8245 (new)
Linksys Devices:
E1200 E2500 E3000 (new) E3200 (new) E4200 (new) RV082 (new) WRVS4400N
Mikrotik Devices:
CCR1009 (new) CCR1016 CCR1036 CCR1072 CRS109 (new) CRS112 (new) CRS125 (new) RB411 (new) RB450 (new) RB750 (new) RB911 (new) RB921 (new) RB941 (new) RB951 (new) RB952 (new) RB960 (new) RB962 (new) RB1100 (new) RB1200 (new) RB2011 (new) RB3011 (new) RB Groove (new) RB Omnitik (new) STX5 (new)
Netgear Devices:
DG834 (new) DGN1000 (new) DGN2200 DGN3500 (new) FVS318N (new) MBRN3000 (new) R6400 R7000 R8000 WNR1000 WNR2000 WNR2200 (new) WNR4000 (new) WNDR3700 (new) WNDR4000 (new) WNDR4300 (new) WNDR4300-TN (new) UTM50 (new)
QNAP Devices:
TS251 TS439 Pro Other QNAP NAS devices running QTS software
TP-Link Devices:
R600VPN TL-WR741ND (new) TL-WR841N (new)
Ubiquiti Devices:
NSM2 (new) PBE M5 (new)
Upvel Devices:
Unknown Models* (new)
ZTE Devices:
ZXHN H108N (new) Incredibly targeted
Wednesday's Talos report also provides new insights into a previously found packet sniffer module. It monitors traffic for data specific to industrial control systems that connect over a TP-Link R600 virtual private network. The sniffer module also looks for connections to a pre-specified IP address. It also looks for data packets that are 150 bytes or larger.
“They’re looking for very specific things,” Williams said. 'They’re not trying to gather as much traffic as they can. They’re after certain very small things like credentials and passwords. We don’t have a lot of intel on that other than it seems incredibly targeted and incredibly sophisticated. We’re still trying to figure out who they were using that on.”
Wednesday’s report also details a self-destroy module that can be delivered to any infected device that currently lacks that capability. When executed it first removes all traces of VPNFilter from the device and then runs the command “rm -rf /*,” which deletes the remainder of the file system. The module then reboots the device.
Despite the discovery of VPNFilter and the FBI seizure two weeks ago of a key command and control server, the botnet still remains active, Williams said. The reason involves the deliberately piecemeal design of the malware. Stage 1 acts as a backdoor and is one of the few known pieces of router malware that can survive a reboot. Meanwhile, stages 2 and 3, which provide advanced functions for things such as man-in-the-middle attacks and self-destruction capabilities, have to be reinstalled each time an infected device is restarted.
To accommodate for this limitation, stage 1 relies on a sophisticated mechanism to locate servers where stage 2 and stage 3 payloads were available. The primary method involved downloading images stored on Photobucket.com and extracting an IP address from six integer values used for GPS latitude and longitude stored in the EXIF field of the image. When Photobucket removed those images, VPNFilter used a backup method that relied on a server located at ToKnowAll.com.
Even with the FBI’s seizure of ToKnowAll.com, devices infected by stage 1 can still be put into a listening mode that allows attackers to use specific trigger packets that manually install later VPNFilter stages. That means hundreds of thousands of devices likely remain infected with stage 1, and possibly stages 2 and 3.
There is no easy way to know if a router is infected. One method involves searching through logs for indicators of compromise listed at the end of Cisco's report. Another involves reverse engineering the firmware, or at least extracting it from a device, and comparing it with the authorized firmware. Both of those things are out of the abilities of most router owners. That's why it makes sense for people to simply assume a router may be infected and disinfect it. Researchers still don't know how routers initially become infected with stage 1, but they presume it's by exploiting known flaws for which patches are probably available.
Steps to fully disinfect devices vary from model to model. In some cases, pressing a recessed button on the back to perform a factory reset will wipe stage 1 clean. In other cases, owners must reboot the device and then immediately install the latest available authorized firmware from the manufacturer. Router owners who are unsure how to respond should contact their manufacturer, or, if the device is more than a few years old, buy a new one.
Router owners should always change default passwords and, whenever feasible, disable remote administration. For extra security, people can always run routers behind a proper security firewall. Williams said he has seen no evidence VPNFilter has infected devices running Tomato, Merlin WRT, and DD-WRT firmware, but that he can't rule out that possibility.
Two weeks ago, however, the FBI recommended that all owners of consumer-grade routers, switches, and network-attached storage devices reboot their devices. While the advice likely disrupted VPNFilter’s advance and bought infected users time, it may also have created the mistaken belief that rebooting alone was enough to fully remove VPNFilter from infected devices.
“I’m concerned that the FBI gave people a false sense of security,” Williams said. “VPNFilter is still operational. It infects even more devices than we initially thought, and its capabilities are far in excess of what we initially thought. People need to get it off their network.”
From DD-WRT Wiki
Jump to: navigation, search
Wiki Path: DD-WRT Wiki Main / Tutorials / Linking Routers / Universal Wireless Repeater
THIS IS BROADCOM ONLY!
A repeater is just a very normal client which, at the same time, can also be an access point, independent of the SSID and type of encryption used.
THESE ARE NOT THE INSTRUCTIONS FOR CREATING A REPEATER OR A REPEATER BRIDGE which is the normal way to link routers. These are OUT OF DATE instructions for creating a special UNIVERSAL repeater as explained below, not for linking the routers you own. See the wiki on linking routers if you wish to connect two routers in your home. That is NOT what these instructions are for! If you are in the wrong place, click here: Linking Routers
This How-To provides step-by-step instructions for creating a Universal Wireless Repeater appliance: a device that you can place anywhere and it will wirelessly repeat the strongest signal, onto another wireless network (with or without security). This functionality is also known as Wireless Client Bridge, or Range Extender. Unlike WDS, once you have this appliance setup, it will work with any open network.
Architecturally the repeater connects to another wireless router as a client, getting a single IP address via DHCP. Effectively the SSID network it connects to becomes your ISP. Therefore you (the client) will operate in your own IP address space, which is different from address space the repeater connects to.
For example:
In a given neighborhood, there are 3 open access wireless networks, jojo, linksys and internetmad. The repeater automatically receives an IP address from jojo. Let's say jojo is using 192.168.1.0/24, and your DDWRT router receives the address 192.168.1.139. The repeater is configured to use 172.16.100.0/24. From your laptop, you associate with the SSID 'repeater' and you receive the address 172.16.101.100 via DHCP. As far as your laptop is concerned you are talking to repeater. As far as repeater is concerned, its gateway is 'jojo' and jojo probably has another gateway via cable modem or DSL.
[edit]Prerequisites
It takes me just a couple minutes to follow these instructions (but I've done this before).
1. Install latest DD-WRT v24 release candidate (but not RC6.2! v23 doesn't support repeater modes).
- NOTE WRT54GS v4 and WRT54GL-Will need to be flashed with the MINI GENERIC bin 1st.Otherwise you will brick the router and have to tftp the Linksys bin to recover. Windows, use Internet Explorer as Firefox 2.0.0.4 does not handle the new DD-Wrt v24beta interface well.
2. Go to tab 'Setup', sub-tab 'Basic Setup':
3. Point your browser to the new IP address you chose in the previous step. Go to tab 'Security', sub-tab 'Firewall':
4. Go to tab 'Wireless', sub-tab 'Basic Settings':
[EDIT-Redhawk] - If the host AP settings Wireless>>Basic Settings>>Wireless Network Mode is set to 'G-only' then your repeater must also be set the same way....otherwise you will not make the connection from the repeater side - 09/22/07
5. To repeat any network dynamically (make this a universal wireless repeater), the following will make the repeater connect to the first available SSID:
Echolife Hg8245 Setup
6. You may use security (WEP, WPA, etc) in repeater mode. An example application of this would be to make the repeated network private (for your use only).
7. The first time you connect to the repeater (wirelessly), or after disconnect, you may need to perform a 'repair wireless network connection'. For example, in XP, right click on the wireless icon and select 'Repair'.
Dd-wrt Download[edit]Optimizations
8. If you wish to dynamically repeat the STRONGEST signal (a more sophisticated version of #5 above) please read the AutoAP Wiki Article.
9. For optional repeater performance enhancements:
Also take note of the fact that all repeaters, including this Universal Wireless Repeater mode, will sacrifice half of the bandwidth available from the primary router for clients wirelessly connected to the repeater. This is a result of the repeater taking turns talking to not just one partner, but to two, and having to relay the traffic between them. As long as your bandwidth requirements are within this halved bandwidth amount there will be little or no reduction in 'speed'.
Dd-wrt Login
(SVN revision 9526) disables network sharing between WinXP computers.
Huawei Hg8245 Dd Wrt Setup
Your testing results and enhancements are appreciated:
Tomato Firmware
Retrieved from 'http://wiki.dd-wrt.com/wiki/index.php/Universal_Wireless_Repeater'
Comments are closed.
|
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |