VPNFilter - Gargoyle has had no malware?

[hackerb9]

Hi! I bought a Gargoyle Router years ago as the main gateway for about a hundred residents in an apartment building. It has been running rock solid for so long that I've pretty much forgotten about it. (That's the highest praise, by the way.)

Today in the news, the FBI asked everyone to reboot their routers because of some Russian malware called VPNfilter.

Wikipedia even has a handy list of routers known to be vulnerable. Not suprisingly, Gargoyle Router isn't mentioned.

I ssh'd into my Gargoyle Router and there's no vpnfilter process, so I think I'm in the clear on that one.

But I got to wondering if there have ever been any known instances of malware that could infect Gargoyle Routers. (I'm not asking about theoretical or potential; I already know that anything is possible.)

So, what's the history (or lack thereof) of malware on Gargoyle Routers?

[Lantis]

Not that I’m aware of.

You may find better results searching for “Openwrt malware”. Gargoyle is based on Openwrt.

The device should be reasonably safe as long as you don’t compromise the root password and don’t expose ports to the WAN. Once the root password is compromised that’s game over anyway.

I’m glad you’re having a good long lasting experience with Gargoyle

[tapper]

Never herd of anything like that, on Gargoyle or openwrt routers. To stay safe make shure you keep your router upto date

[alvesl]

Hello,

I've been happily using Gargoyle for a while. Recently I've heard about the VPNFilter attack and I'm curious if this firmware could be affected.

Thanks!
-Lucas

[tapper]

well... openwrt / Gargoyle is good in that way that you don't have a) default password to attack against, as you really need to set your own on first boot... and then no service is open to WAN per default.
even if there would be unpatched hole in some service on openwrt, attacker can't target equipment on default stage

well not from WAN side anyhow.

[butler360]

I ssh'd into my Gargoyle Router and there's no vpnfilter process, so I think I'm in the clear on that one.

So far to my knowledge no one has been able to identify a simple way to determine whether your router is infected, so I don't think you can consider yourself safe by just checking for the process.

[hackerb9]

So far to my knowledge no one has been able to identify a simple way to determine whether your router is infected, so I don't think you can consider yourself safe by just checking for the process.

I don't consider myself "safe" from all infections. That's one of the reasons I started this thread.

But for this threat du jour, what I've read (mostly from Talos) makes it look like there's no way to tell from the GUI, but it's not particularly subtle from the command line. It adds itself to the crontab, it places files in /var/run with known hashes, the files have names like "vpnfilter" and "tor", and it has a process actually named vpnfilter.

Do you have any reference to sites claiming it is doing even minimal obfuscation by renaming the process? The only people I've seen claiming it can't be identified are ones speaking out of an abundance of caution: anything is possible, theoretically.

But in practical terms and given the actual known evidence, I believe I can tell if my Gargoyle Router was hit by VPNfilter.

I'm always happy to be proven wrong, though, so feel free to share evidence I may have missed.