Security News

7 new modules for VPNFilter malware, Hide & Seek botnet targets Android, and House Oversight takes on AI

Avast Security News Team, 28 September 2018

VPNFilter gets powerful updates and latest IoT botnet can now corrupt Android devices.

Swiss Army Knife malware gets 7 additional modules

Multipurpose malware seem to be in vogue these days as another jack-of-all-bugs has been discovered taking over hundreds of thousands of routers the world over. Called VPNFilter, the tool is believed to be the work of the Russian group Fancy Bear and targets devices using Modbus protocol. So far, at least 500,000 machines have been compromised, the majority of which were Microtik networking devices in Ukraine.

VPNFilter works in three stages. Stage 1 uses a worm to add code to a router’s crontab which allows it to remain on-device even after a reboot. Stage 2 then installs the primary malware. And finally, stage 3 consists of various add-on modules to carry out additional functions.

The latest update adds seven new stage 3 modules that can be used to map a network, target additional endpoint devices connected to the compromised router, and obfuscate any attempts to pinpoint the attack source. Although the initial attack vector is still unknown, remote management is thought to be one of them.

“VPNFIlter can stay there for a long time, with users being wholly unaware of the compromise,” explains Luis Corrons, Security Evangelist for Avast. “People often disregard routers because they don’t fully understand the real danger they pose.” Corrons continues, “But the truth is that if attackers have access to your router, they have access to your home or business network. And if they have access to your home or network, that is as good as the key to the front door—they will use it as a foothold to launch attacks that will put all of your devices at risk—as well as the information you have in them.”

Hide and Seek IoT botnet can now harm Android devices

Hide and Seek only recently made news for being the first botnet to survive reboot flushes. Now its creators have armed it with the capacity to hop onto Android devices as well. The latest variant can exploit Android Debug Bridge (ADB) over an unsecure Wi-Fi connection.

The ADB is a versatile client-server command line program for Android and is disabled by default. However, some devices are known to ship with ADB enabled, which is accessible through the TCP port 5555. At least 40,000 devices — mostly in Taiwan, Korea, and China — are thought to be at risk of infection as a result. The Fbot IoT botnet is also known to use ADB to get a hold of Android devices.

Smartphones aren’t the only devices at risk. Researchers have pointed out that Android TVs, DVRs, or any other devices using ADB are also at risk of infection. Even though the problem has been known since July, security measures still do not exist against such threats.

House oversight goes after bad AI, China, and Federal IT

The House Oversight Committee has its sights on cybersecurity threats this week. Ranking high on their agenda are potential misuses of artificial intelligence. Their white paper titled Rise of the Machines summarizes that AI deployed by cybersecurity companies could pose a problem.

William Hurd of the IT subcommittee stated that it boils down to “good AI vs. bad AI,” and that governments are now tasked with developing a framework to control the use and proliferation of such technologies. For instance, disclosure laws can be enforced for AI pretending to be human, such as in the case of Google Duplex, an AI assistant with a very natural sounding voice.

The IT subcommittee also discussed cybersecurity threats emerging from China’s advances in AI, cloud computing, blockchain, and quantum computing technologies. China’s continued reverse engineering of stolen technologies, and the nation’s insistence on joint ventures as grounds for doing business in the country, were the top concerns.

Finally, a draft bill sponsored by Hurd aims to set a minimum standard for government websites and ensure they use the latest security protocols.




Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.