Russian VPNFilter Router Malware Much Worse Than Thought: What to Do

Remember that Russian router malware warning from last week? The situation is even worse than we originally thought, and a whole lot more router owners are going to have to factory-reset their devices and install firmware updates.

Not only are many more Linksys, MicroTik, Netgear and TP-Link routers vulnerable to the VPNFilter malware, according a report today (June 6) from Cisco Talos labs, but several Asus and D-Link models are now also thought to be vulnerable, as well as a couple of Ubiquiti routers and individual Huawei, Upvel and ZTE devices. In all, nearly 70 devices are impacted, including QNAP network-attached-storage drives.

The malware itself has a previously unnoticed capability: It can stage a man-in-the-middle attack on your web traffic, altering what you see online and possibly hiding other nefarious deeds.

"They can manipulate everything going through the compromised device," a Cisco Talos researcher told Ars Technica. "They can modify your bank-account balance so that it looks normal while at the same time they're siphoning off money."

How to Protect Yourself

To really be protected from VPNFilter, you need to first fully update your router's firmware, then write down all your Wi-Fi network names and passwords, and finally factory-reset your router.

Once you've done all that, change the router's administrative username and password, then recreate the original network names and access passwords so that your Wi-Fi-enabled devices can reconnect without trouble.

Router update and reset methods vary widely from brand to brand, but we've added links to instructions where we could. The full list of models known to be affected is below.

MORE: Your Router's Security Stinks: Here's How to Fix It

To be safe, ALL routers ought to be updated and factory-reset because of the VPNFilter malware, despite that being an arduous process, because we don't know where this is going to end. (If you're wondering why we're so insistent, it's because the malware has a scorched-earth module that will brick your router on command.)

The malware seems to infect only devices that are known to have had security flaws, all of which have fixes available. If you've kept up on your router patches, or your router patches itself automatically, you probably haven't been infected. Unfortunately, there's no way of knowing for sure.

Only a factory reset will remove the malware, which contains a beachhead module that survives regular reboots; only firmware patches will prevent you from being infected again. Ten days ago, the FBI took down a server from which the beachhead module got instructions to download additional malware components, but it appears that a fallback mechanism lets the beachhead module use other sources.

Affected Routers and Support Pages

Here's the list of affected devices. Not all devices are sold in North America:

Asus RT-AC66U

Asus RT-N10

Asus RT-N10E

Asus RT-N10U

Asus RT-N56U

Asus RT-N66U

Asus support page

D-Link DES-1210-08P

D-Link DIR-300

D-Link DIR-300A

D-Link DSR-250N

D-Link DSR-500N

D-Link DSR-1000

D-Link DSR-1000N

D-Link support page specifically for VPNFilter

Huawei HG8245

Unofficial reset instructions; we couldn't find the firmware

Linksys E1200

Linksys E2500

Linksys E3000

Linksys E3200

Linksys E4200

Linksys RV082

Linksys WRVS4400N

Linksys support page

MikroTik CCR1009

MikroTik CCR1016

MikroTik CCR1036

MikroTik CCR1072

MikroTik CRS109

MikroTik CRS112

MikroTik CRS125

MikroTik RB411

MikroTik RB450

MikroTik RB750

MikroTik RB911

MikroTik RB921

MikroTik RB941

MikroTik RB951

MikroTik RB952

MikroTik RB960

MikroTik RB962

MikroTik RB1100

MikroTik RB1200

MikroTik RB2011

MikroTik RB3011

MikroTik RB Groove

MikroTik RB Omnitik

MikroTik STX5

MicroTik support page, which is pretty confusing

Netgear DG834

Netgear DGN1000

Netgear DGN2200

Netgear DGN3500

Netgear FVS318N

Netgear MBRN3000

Netgear R6400

Netgear R7000

Netgear R8000

Netgear WNR1000

Netgear WNR2000

Netgear WNR2200

Netgear WNR4000

Netgear WNDR3700

Netgear WNDR4000

Netgear WNDR4300

Netgear WNDR4300-TN

Netgear UTM50

Netgear support page

QNAP TS251

QNAP TS439 Pro

Other QNAP NAS devices running QTS software

QNAP firmware download page

TP-Link R600VPN

TP-Link TL-WR741ND

TP-Link TL-WR841N

TP-Link support page

Ubiquiti NSM2

Ubiquiti PBE M5

Ubiquiti firmware and documentation

Upvel -- unknown models

Upvel firmware downloads (in Russian)

ZTE Devices ZXHN H108N

ZTE support page

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Malware & Adware
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
PayPal logo on iPhone
Watch out! Scammers are using this PayPal setting to take over your PC
A laptop displaying the Chrome logo
Don't click this — malicious ads impersonating Google Chrome spreading dangerous malware
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Monday, March 17 (#645)
iPhone 17 Air render
New leaked iPhone 17 dummy units show off super-thin iPhone 17 Air with this surprising design tweak
Simone Ashley and Hero Fiennes Tiffin in "Picture This" now streaming on Prime Video
Prime Video top 10 has 3 must-watch movies — including a bubbly romcom starring 'Bridgerton's' Simone Ashley
(L-R) Josh Hartnett as Cooper and Ariel Donoghue as Riley in "Trap"
Netflix top 10 movies — here’s the 3 worth watching right now
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #379 (Monday, March 17 2025)
iOS 19 logo on an iPhone
Apple WWDC 2025: iOS 19 and everything we know so far
  • wzis
    I have told people many times, for network devices that run Linux, the vendors should install the WZSysGuard from WZIS Software in EEPROM on the devices, and in the device admin interface, allow user to run wzsgchk to see if any critical things on the device OS system got changed, it will check file integrity, find new network service started, new kernel module loaded, new filesystem mounted, firewall rule changed, IP routing rule changed.
    Reply