The FBI has seized a key domain used to infect more than 500,000 home and small-office routers in a move that significantly frustrates a months long attack that agents say was carried out by the Russian government, The Daily Beast reported late Wednesday.
The takedown stems from an investigation that started no later than last August and culminated in a court order issued Wedesday directing domain registrar Verisign to turn over control of ToKnowAll.com.
As Ars reported earlier Wednesday, Cisco researchers said the malware that infected more than 500,000 routers in 54 countries was developed by an advanced nation and implied Russia was responsible, but didn’t definitively name the country.
VPNFilter, as the Cisco researchers dubbed the advanced malware, is one of the few Internet-of-things infections that can survive a reboot, but only the first stage has this capability. To compensate for the shortcoming, the attackers relied on the three separate mechanisms to independently ensure stages 2 and 3 could be installed on infected devices.
The ToKnowAll.com domain seized Wednesday hosted a backup server for uploading a second stage of malware to already-infected routers in the event a primary method, which relied on Photobucket, failed. VPNFilter relied on a third method that used so-called “listeners,” which allow attackers to use specific trigger packets to manually send later stages.
Taking control of a command-and-control server is known as sinkholing. It allows researchers or law enforcement officers to monitor the IP addresses of infected devices that connect and to prevent them from receiving malware or malicious instructions. The seizure of ToKnowAll.com is a major coup because it closes a secondary channel and may also provide previously unavailable information the FBI can use to begin the process of helping ISPs and end users disinfect the devices.
Still, based on information provided by Cisco, the sinkholding doesn’t automatically stop VPNFilter in its tracks. Assuming the attackers captured the IP addresses of devices infected with stage 1, the attackers may still be able to use the listener to regain control of the devices.
In August, The Daily Beast reported, FBI agents in Pittsburgh, Pennsylvania, interviewed a local resident whose home router was infected with VPNFilter. The resident voluntarily let the agents analyze the device and to attach a network tap that allowed the FBI to to monitor traffic leaving the router. The agents used the tap to identify the way the malware worked.
On Tuesday, the FBI asked federal Magistrate Judge Lisa Pupo Lenihan in Pittsburgh to turn over control of ToKnowAll.com to agents. Lenihan granted the request on Wednesday. It’s not clear why it took nine months from the time the agents interviewed the infected router to request the seizure of the domain. Ars has much more about VPNFilter here.