VPNFilter Malware – Router botnet

A huge botnet consisting of at least 500,000 compromised routers and network-attached storage (NAS) devices has been detected by security researchers. The malware is known as VPNFilter and is largely targeting small office / home routers and network-attached storage (NAS) devices.

VPNFilter is malware that targets routers and NAS devices in order to steal files, information, and examine network traffic as it flows through the device. When the malware is installed, it will consist of three different stages, with each stage performing specific functions.

Different stages of VPNFilter malware

Stage 1 is installed first and allows the malware to stay persistent even when the router is rebooted.

Stage 2 allows the attackers execute commands and steal data. This stage also contains a self-destruct ability that essentially makes the router, and thus your network connection, non-functional.

Stage 3 consists of various plugins that can be installed into the malware that allow it to perform different functionality such as sniff the network, monitor communication, and to communicate over TOR (Tor is free software for enabling anonymous communication).

Routers that are known to be affected by VPNFilter

According to reports from Cisco, Symantec, and the Security Service of Ukraine, the affected routers are:

  • Linksys E1200
  • Linksys E2500
  • LinkSys WRVS4400N
  • Mikrotik RouterOS Versions for Cloud Core Routers: 1016, 1036, 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software;
  • TP-Link R600VPN

While the above are the currently known routers that can be infected with VPNFilter, there is no guarantee that they are the only ones. Therefore, everyone should follow the below recommendations to harden and secure their routers regardless of the make and manufacturer.

If you own an affected device, what should you do?

1. Users of affected devices are advised to reboot them immediately. If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers.

2. You should also return the router or NAS device to its factory settings. This is typically done by pressing and holding a reset switching while turning the device on and off again. Before you begin, search for and save any instructions and user/internet credentials that you may need to get the router connected again so you have them on hand.

3. You should also check with the manufacturer’s website for the latest firmware update.

4. Change your password and make sure you’re not using an easy-to-crack or factory default password.

5. Ensure that remote management is turned off on your router and NAS device.

Should you reset your router even if its not one of the listed ones?

This is a tough one. On one hand, its always better to be safe than sorry. On the other, for some it can be very difficult to configure a router from scratch.

With that said, We do suggest that you follow these steps above as it’s only beneficial to having your router running the latest firmware and the other steps only further protect your device.