Last month, the FBI asked the public to help curb the spread and damage of the VPNFilter malware by rebooting their home router. I guess nobody listened since today that threat is still alive, according to a report from Cisco’s Talos security unit. It has affected even more router models.
Even worse, the malware reportedly has a new capability: it can inject malicious codes into the web traffic of an infected router to cause all kinds of security issues. In some instances, it can also downgrade a secure connection (https) into a non-secure one (http), effectively making your sensitive information (such as passwords) appear as plain text.
In short, this is an alarming and serious security threat.
Table of Contents
Routers models effected by VPNFilter malware
Here’s the complete list of vulnerable routers. Generally, you can find the model number on a label on the back or underside of your router. Most of these are legacy routers that are no longer manufactured or sold.
|Asus||RT-AC66U, RT-N10, RT-N10E, |
RT-N10U, RT-N56U, RT-N66U
|D-Link||DES-1210-08P, DIR-300, |
DIR-300A, DSR-250N, DSR-500N,
|Linksys||E1200, E2500, E3000, E3200, |
E4200, RV082, WRVS4400NCCR1009,
CCR1016, CCR1036, CCR1072, CRS109,
CRS112, CRS125, RB411, RB450, RB750,
RB911, RB921, RB941, RB951, RB952,
RB960, RB962, RB1100, RB1200, RB2011,
RB3011, RB Groove, RB Omnitik, STX5
|Mikrotik||CCR1009, CCR1016, CCR1036, CCR1072, |
CRS109, CRS112, CRS125, RB411, RB450,
RB750, RB911, RB921, RB941, RB951,
RB952, RB960, RB962, RB1100, RB1200,
RB2011, RB3011, RB Groove, RB Omnitik, STX5
|Netgear||DG834, DGN1000, DGN2200, DGN3500, |
FVS318N, MBRN3000, R6400, R7000, R8000,
WNR1000, WNR2000, WNR2200, WNR4000,
WNDR3700, WNDR4000, WNDR4300,
|Qnap||TS251, TS439 Pro, QNAP NAS servers running QTS OS|
|TP-Link||R600VPN, TL-WR741ND, TL-WR841N|
|Ubiquiti||NSM2, PBE M5|
If you’ve been using one of these, it doesn’t necessarily mean your router has been infected, but there’s a high probability that it has. Generally, those with the default admin username and password are easy targets. Some have security holes that make them vulnerable, even if you have changed the default login.
If you use a different router, chances are your network is safe for now. But no matter what router you use, you should take precautions and follow the checklist below.
What to do to get rid of VPNFilter router malware: The check list
There are three steps to deal with VPNFilter or any other type of router infection, for that matter.
This step will stop the malware from doing any more harm using an infected router. All you have to do is to turn the router off or reboot it. Unplug it from the power, wait for about 30 seconds, then plug it back in.
This step removes the malware from an infected router: Reset your router to the default settings. For details on how to reset a router, check out this post. That will get rid of any unwanted settings or codes.
Note: If your router is not on the list of affected models, you might want to back up its settings before the reset. However, if you suspect that your router is not 100 percent clean, do not back up its settings. Restoring the settings of an infected router can cause re-infection.
This step will prevent the re-infection: Update the router to the latest firmware or security patch.
If your router is on the affected list and there’s been no new firmware since May 25th, stop using it immediately. Either wait for newer firmware or discard it and get a new router. (Here’s Netgear’s advisory on this matter). For the rest, follow these steps to update its firmware.
Once you’ve done all the steps above, you can set up your network from scratch or restore its settings. When you’re at it, make sure you check on all these points to keep your network safe. Also, if you think your router has been compromised, make sure you change the passwords of your online accounts, like banks or emails.
Comments are subject to approval, redaction, or removal.
It's generally faster to get answers via site/page search. Your question/comment is one of many Dong Knows Tech receives daily.
(•) If you represent a company/product mentioned here, please use the contact page or a PR channel.