Family Encyclopedia >> Electronics

The Router-Based Malware 'VPNFilter' and How to Protect Yourself

Recently, the FBI made a somewhat disturbing public service announcement that everyone should restart their routers. They advise doing this to prevent nasty router malware from taking over your hardware. Considering it's big enough for the FBI to make a public service announcement, it can be confusing to think about what might be hiding inside your router. So what is it and what can you do? Let's break down this new threat to see what it is, how it works, and what you can do to protect yourself from it.

Contents What is it? What does it do? Does it affect all routers? Is it irreparable? Spray VPNFilter

What is it?

The Router-Based Malware  VPNFilter  and How to Protect Yourself

So once this new malware enters a router, what does it do? VPNFilter is quite advanced and deploys its payload in three steps:

  1. The first stage is where the malware installs itself on a vulnerable router and configures itself to persist even after the router has been turned off.
  2. Once the first stage is successfully installed, the second stage begins. This involves installing VPNFilter's ability to run commands, collect files, and manage the router. It has enough control over the router to permanently damage router system files (known as bricking) on ​​command if necessary.
  3. Once Stage 2 has been successfully deployed, Stage 3 acts as a plug-in installation on top of Stage 2. Stage 3 allows hackers to look inside the packets passing through the router, where the data is transferred. It also grants Stage 2 the ability to communicate via Tor.

When the router is turned on and off, steps 2 and 3 are erased, but the "seed" that was set up in step 1 persists. Either way, the most damaging part of the VPNFilter malware is resetting, which is why people have been told to restart their routers.

Does this affect all routers?

The Router-Based Malware  VPNFilter  and How to Protect Yourself

Not all routers can be affected by VPNFilter. Symantec details which routers are vulnerable.

To date, VPNFilter is known to be able to infect enterprise and small office/home office routers from Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. These include:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers:Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN”

If you own one of the devices above, check your manufacturer's support page for updates and tips on how to defeat VPNFilter. Most should have a firmware update that should fully protect you from VPNFilter's attack vectors.

Is it irreparable?

Luckily, despite the fact that it looks like VPNFilter will be in routers forever, there are ways to get rid of it. Although VPNFilter makes sure it persists during router power off, it cannot survive a factory reset. If you run your router through one of these, the malware will get caught in the wipe and will be effectively eliminated from your router.

Once done, make sure to change your network credentials and also disable remote management settings. Your information may have been leaked in the attack, and preventing remote access may prevent a future attack from reaching your PCs and home devices.

Spray VPNFilter

While VPNFilter is a nasty piece of kit that has aroused the interest of the FBI, it's not unbeatable! By performing a factory reset, you can clear your router of any malware. Also, if your manufacturer has released an update, you can avoid getting infected again later.

Does VPNFilter affect you in any way? Let us know below.

Image credit:Router, close up of wireless router and man using smartphone in home office living room by Casezy idea/Shutterstock