Last month, the FBI asked the public to help curb the spread and damage of the VPNFilter malware by rebooting their home router. I guess nobody listened since today that threat is still alive according to a report from Cisco’s Talos security unit. It has affected even more router models.
Even worse, the malware reportedly has a new capability: it can inject malicious codes into the web traffic of an infected router to cause all kinds of security issues. In some instances, it can also downgrade a secure connection (https) into a non-secure one (http), effectively making your sensitive information (such as passwords) appear as plain text.
In short, this is an alarming and serious security threat.
Routers models effected by VPNFilter malware
Here’s the complete list of vulnerable routers. Generally, you can find the model number on a label on the back or underside of your router. Most of these are legacy routers that are no longer manufactured or sold.
|Asus||RT-AC66U, RT-N10, RT-N10E, |
RT-N10U, RT-N56U, RT-N66U
|D-Link||DES-1210-08P, DIR-300, |
DIR-300A, DSR-250N, DSR-500N,
|Linksys||E1200, E2500, E3000, E3200, |
E4200, RV082, WRVS4400NCCR1009,
CCR1016, CCR1036, CCR1072, CRS109,
CRS112, CRS125, RB411, RB450, RB750,
RB911, RB921, RB941, RB951, RB952,
RB960, RB962, RB1100, RB1200, RB2011,
RB3011, RB Groove, RB Omnitik, STX5
|Mikrotik||CCR1009, CCR1016, CCR1036, CCR1072, |
CRS109, CRS112, CRS125, RB411, RB450,
RB750, RB911, RB921, RB941, RB951,
RB952, RB960, RB962, RB1100, RB1200,
RB2011, RB3011, RB Groove, RB Omnitik, STX5
|Netgear||DG834, DGN1000, DGN2200, DGN3500, |
FVS318N, MBRN3000, R6400, R7000, R8000,
WNR1000, WNR2000, WNR2200, WNR4000,
WNDR3700, WNDR4000, WNDR4300,
|Qnap||TS251, TS439 Pro, QNAP NAS servers running QTS OS|
|TP-Link||R600VPN, TL-WR741ND, TL-WR841N|
|Ubiquiti||NSM2, PBE M5|
If you’ve been using one of these, it doesn’t necessarily mean your router has been infected, but there’s a high probability that it has. Generally, those with the default admin username and password are easy targets. Some have security holes that make them vulnerable even if you have changed the default login.
If you use a different router, chances are your network is safe, for now. But no matter what router you use, you should take precautions and follow the check list below.
What to do to get rid of VPNFilter router malware: The check list
There are three steps to deal with VPNFilter or any other types of router infection, for that matter.
This step will stop the malware from doing any more harm using an infected router. All you have to do is to turn the router off or reboot it. Unplug it from the power, wait for about 30 seconds, then plug it back in.
This step removes the malware from an infected router: Reset your router to the default settings. For details on how to reset a router, check out this post. That will get rid of any unwanted settings or codes.
Note: If your router is not on the list of effected models, you might want to back up its settings before the reset. However, if you suspect that your router is not 100 percent clean, do not back up its settings. Restoring the settings of an infected router can cause re-infection.
This step will prevent the re-infection: Update the router to the latest firmware or security patch.
If your router is on the effected list and there’s no new firmware since May 25th, stop using it immediately. Either wait for newer firmware or discard it and get a new router. (Here are Netgear’s and Linksys’ advisories on this matter). For the rest, follow these steps to update its firmware.
Once you’ve done all the steps above, you can set up your network from scratch or restore its settings. When you’re at it, make sure you check on all these points to keep your network safe. Also, if you think your router had been compromised, make sure you change the passwords of your online accounts, like banks or emails.