Tuesday, July 27th, 2021 • Welcome to the 💯 No-Nonsense Tech Zone! • 😷 Get Vaxxed 💉!

Steps to Rid Your Router of Malware, VPNFilter and Whatnot

Last month, the FBI asked the public to help curb the spread and damage of the VPNFilter malware by rebooting their home router. I guess nobody listened since today that threat is still alive, according to a report from Cisco’s Talos security unit. It has affected even more router models.

Even worse, the malware reportedly has a new capability: it can inject malicious codes into the web traffic of an infected router to cause all kinds of security issues. In some instances, it can also downgrade a secure connection (https) into a non-secure one (http), effectively making your sensitive information (such as passwords) appear as plain text.

In short, this is an alarming and serious security threat.

Many home routers are reportedly susceptible to the VPNFilter malware.
Many home routers are reportedly susceptible to the VPNFilter malware.

Routers models effected by VPNFilter malware

Here’s the complete list of vulnerable routers. Generally, you can find the model number on a label on the back or underside of your router. Most of these are legacy routers that are no longer manufactured or sold.

VendorEffected models
AsusRT-AC66U, RT-N10, RT-N10E, 
RT-N10U, RT-N56U, RT-N66U
D-LinkDES-1210-08P, DIR-300, 
DIR-300A, DSR-250N, DSR-500N, 
DSR-1000, DSR-1000N 
HuaweiHG8245
LinksysE1200, E2500, E3000, E3200, 
E4200, RV082, WRVS4400NCCR1009, 
CCR1016, CCR1036, CCR1072, CRS109, 
CRS112, CRS125, RB411, RB450, RB750, 
RB911, RB921, RB941, RB951, RB952, 
RB960, RB962, RB1100, RB1200, RB2011, 
RB3011, RB Groove, RB Omnitik, STX5 
MikrotikCCR1009, CCR1016, CCR1036, CCR1072, 
CRS109, CRS112, CRS125, RB411, RB450, 
RB750, RB911, RB921, RB941, RB951, 
RB952, RB960, RB962, RB1100, RB1200, 
RB2011, RB3011, RB Groove, RB Omnitik, STX5 
NetgearDG834, DGN1000, DGN2200, DGN3500, 
FVS318N, MBRN3000, R6400, R7000, R8000, 
WNR1000, WNR2000, WNR2200, WNR4000, 
WNDR3700, WNDR4000, WNDR4300,
 WNDR4300-TN, UTM50 
QnapTS251, TS439 Pro, QNAP NAS servers running QTS OS
TP-LinkR600VPN, TL-WR741ND, TL-WR841N 
UbiquitiNSM2, PBE M5 
ZTEZXHN H108N
Routers and NAS servers affected by VPNFilter malware

If you’ve been using one of these, it doesn’t necessarily mean your router has been infected, but there’s a high probability that it has. Generally, those with the default admin username and password are easy targets. Some have security holes that make them vulnerable, even if you have changed the default login.

If you use a different router, chances are your network is safe for now. But no matter what router you use, you should take precautions and follow the checklist below.

You can generally find a router's model number on its underside.
You can generally find a router’s model number on its underside.

What to do to get rid of VPNFilter router malware: The check list

There are three steps to deal with VPNFilter or any other type of router infection, for that matter.

A. Disruption

This step will stop the malware from doing any more harm using an infected router. All you have to do is to turn the router off or reboot it. Unplug it from the power, wait for about 30 seconds, then plug it back in.

B. Removal

This step removes the malware from an infected router: Reset your router to the default settings. For details on how to reset a router, check out this post. That will get rid of any unwanted settings or codes.

Note: If your router is not on the list of affected models, you might want to back up its settings before the reset. However, if you suspect that your router is not 100 percent clean, do not back up its settings. Restoring the settings of an infected router can cause re-infection.

Resetting is the fastest way to restore a compromised router.
Resetting is the fastest way to restore a compromised router.

C. Prevention

This step will prevent the re-infection: Update the router to the latest firmware or security patch.

If your router is on the affected list and there’s no new firmware since May 25th, stop using it immediately. Either wait for newer firmware or discard it and get a new router. (Here are Netgear’s and Linksys’ advisories on this matter). For the rest, follow these steps to update its firmware.

See also  Synology RT2600ac Revisited: An Long-lasting Flagship Wi-Fi 5 Mesh Router

Once you’ve done all the steps above, you can set up your network from scratch or restore its settings. When you’re at it, make sure you check on all these points to keep your network safe. Also, if you think your router had been compromised, make sure you change the passwords of your online accounts, like banks or emails.

☕ Appreciate the content? Buy Dong a Ko-fi!

Leave a Comment