Millions of home Wi-Fi routers threatened by malware — what to do

A close-up of a generic home Wi-Fi router.
(Image credit: KsanderDN/Shutterstock)

There's a nasty new piece of malware out there targeting Wi-Fi routers, and you'll want to make sure yours is fully updated so it doesn't get infected.

The AT&T researchers who discovered the malware are calling it BotenaGo, and it's apparently different from the Mirai botnet malware that's been attacking routers since 2016. BotenaGo packs in exploits for 33 different known vulnerabilities in 12 different router brands, including D-Link, Linksys, Netgear, Tenda, Totolink, Zyxel and ZTE. A full list is on the AT&T Cybersecurity blog post.

How to avoid the BotenaGo malware

To avoid infection, update your router with the latest firmware. Newer routers, including many high-end gaming routers and mesh routers, will do this automatically, but you'll want to check your router's administrative interface to make sure that feature is switched on. 

For less expensive routers, you'll want to go into the administrative interface anyhow and check for updates. Some routers let you manually start an update from within the admin panels. While you're in there, make sure your router is closed off to administrative access from outside the local network, and make certain that your router's administrative password is long, strong and unique.

And if you have a router that is five or more years old, you may have to manually download a firmware update from the manufacturer's website to a PC or Mac, then follow the instructions about how to get the update package from your computer to the router. We've got a guide on how to update your router's firmware.

Old, patched flaws

The BotenaGo malware gets a foothold into routers using one or more of the 33 known vulnerabilities mentioned above. These flaws were discovered anywhere from one to eight years ago, so it's a fair bet that most or all have been patched in firmware updates since then.

Once on the router, the BotenaGo sets up a backdoor into router using two different obscure ports, then waits for instructions from its command-and-control servers. But by the time the AT&T researchers got to take a look at those servers, there was no trace of any "payload" to be delivered — either it had been removed or it had never been there in the first place.

Typical router-malware payloads include additional malware that "drafts" the router into a botnet to be used in mass attacks against website, as is the case with Mirai, or code that uses the router to pump out spam emails. (If an infected router is connected to a phone-company DSL line, it can also send spam text messages.) In many cases, infected routers spread malware to yet more routers.

The AT&T researchers see three possibilities regarding BotenaGo. Either it is just one step in a multi-stage attack, or it's a new tool used by Mirai botnet operators, or it's something that is still in development and was released early by accident. 

It's not clear who is behind the BotenaGo malware, but it is clear that it's pretty easy to avoid — as long as you keep your router's firmware updated.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.