Russian VPNFilter Router Malware Much Worse Than Thought: What to Do

Remember that Russian router malware warning from last week? The situation is even worse than we originally thought, and a whole lot more router owners are going to have to factory-reset their devices and install firmware updates.

Not only are many more Linksys, MicroTik, Netgear and TP-Link routers vulnerable to the VPNFilter malware, according a report today (June 6) from Cisco Talos labs, but several Asus and D-Link models are now also thought to be vulnerable, as well as a couple of Ubiquiti routers and individual Huawei, Upvel and ZTE devices. In all, nearly 70 devices are impacted, including QNAP network-attached-storage drives.

The malware itself has a previously unnoticed capability: It can stage a man-in-the-middle attack on your web traffic, altering what you see online and possibly hiding other nefarious deeds.

"They can manipulate everything going through the compromised device," a Cisco Talos researcher told Ars Technica. "They can modify your bank-account balance so that it looks normal while at the same time they're siphoning off money."

How to Protect Yourself

To really be protected from VPNFilter, you need to first fully update your router's firmware, then write down all your Wi-Fi network names and passwords, and finally factory-reset your router.

Once you've done all that, change the router's administrative username and password, then recreate the original network names and access passwords so that your Wi-Fi-enabled devices can reconnect without trouble.

Router update and reset methods vary widely from brand to brand, but we've added links to instructions where we could. The full list of models known to be affected is below.

MORE: Your Router's Security Stinks: Here's How to Fix It

To be safe, ALL routers ought to be updated and factory-reset because of the VPNFilter malware, despite that being an arduous process, because we don't know where this is going to end. (If you're wondering why we're so insistent, it's because the malware has a scorched-earth module that will brick your router on command.)

The malware seems to infect only devices that are known to have had security flaws, all of which have fixes available. If you've kept up on your router patches, or your router patches itself automatically, you probably haven't been infected. Unfortunately, there's no way of knowing for sure.

Only a factory reset will remove the malware, which contains a beachhead module that survives regular reboots; only firmware patches will prevent you from being infected again. Ten days ago, the FBI took down a server from which the beachhead module got instructions to download additional malware components, but it appears that a fallback mechanism lets the beachhead module use other sources.

Affected Routers and Support Pages

Here's the list of affected devices. Not all devices are sold in North America:

Asus RT-AC66U

Asus RT-N10

Asus RT-N10E

Asus RT-N10U

Asus RT-N56U

Asus RT-N66U

Asus support page

D-Link DES-1210-08P

D-Link DIR-300

D-Link DIR-300A

D-Link DSR-250N

D-Link DSR-500N

D-Link DSR-1000

D-Link DSR-1000N

D-Link support page specifically for VPNFilter

Huawei HG8245

Unofficial reset instructions; we couldn't find the firmware

Linksys E1200

Linksys E2500

Linksys E3000

Linksys E3200

Linksys E4200

Linksys RV082

Linksys WRVS4400N

Linksys support page

MikroTik CCR1009

MikroTik CCR1016

MikroTik CCR1036

MikroTik CCR1072

MikroTik CRS109

MikroTik CRS112

MikroTik CRS125

MikroTik RB411

MikroTik RB450

MikroTik RB750

MikroTik RB911

MikroTik RB921

MikroTik RB941

MikroTik RB951

MikroTik RB952

MikroTik RB960

MikroTik RB962

MikroTik RB1100

MikroTik RB1200

MikroTik RB2011

MikroTik RB3011

MikroTik RB Groove

MikroTik RB Omnitik

MikroTik STX5

MicroTik support page, which is pretty confusing

Netgear DG834

Netgear DGN1000

Netgear DGN2200

Netgear DGN3500

Netgear FVS318N

Netgear MBRN3000

Netgear R6400

Netgear R7000

Netgear R8000

Netgear WNR1000

Netgear WNR2000

Netgear WNR2200

Netgear WNR4000

Netgear WNDR3700

Netgear WNDR4000

Netgear WNDR4300

Netgear WNDR4300-TN

Netgear UTM50

Netgear support page

QNAP TS251

QNAP TS439 Pro

Other QNAP NAS devices running QTS software

QNAP firmware download page

TP-Link R600VPN

TP-Link TL-WR741ND

TP-Link TL-WR841N

TP-Link support page

Ubiquiti NSM2

Ubiquiti PBE M5

Ubiquiti firmware and documentation

Upvel -- unknown models

Upvel firmware downloads (in Russian)

ZTE Devices ZXHN H108N

ZTE support page

Create a new thread in the Off-Topic / General Discussion forum about this subject
This thread is closed for comments
1 comment
Comment from the forums
    Your comment
  • wzis
    I have told people many times, for network devices that run Linux, the vendors should install the WZSysGuard from WZIS Software in EEPROM on the devices, and in the device admin interface, allow user to run wzsgchk to see if any critical things on the device OS system got changed, it will check file integrity, find new network service started, new kernel module loaded, new filesystem mounted, firewall rule changed, IP routing rule changed.