VPNFilter Malware Breakdown

Recently, a notice by the FBI warning small business and consumers to reboot their routers to protect against a strain of Russian-based malware called VPNFilter has caused quite a stir. In the security community, many organizations believe the scope of attack to be much larger than initially thought. VPNFilter is a 3-stage malware (malicious software) that initially gets installed on your router and “listens” to your traffic for specific items like passwords and usernames and provides a backdoor into your device. This first stage actually survives a reboot which is why many security analysts are recommending a complete factory reset of the router, and upgrading to the most current firmware. Once the malware gathers the necessary information it proceeds to stages 2 and 3 which, according to an article by arstechnica,

“provide advanced functions for things such as man-in-the-middle attacks and self-destruction capabilities”

These second and third stage pieces, however, do not survive a reboot and would require a reinstallation. This reinstallation is likely because the stage 1 of VPNfilter malware still lives on the device past an initial reboot.


How to Protect Against VPNFilter Malware

Since rebooting doesn’t actually rid your device of the backdoor access, it isn’t enough to simply reboot. I STRONGLY advise that these steps be performed by a qualified technical person since the factory reset wipes out all your settings and, depending on the level of customization (IP scopes, DHCP reservations, etc.) it can cause major issues.

The best method to ensure you and your network are protected against a compromised router firmware is to:

  1. Reboot the device (either through the web management console or by hard-powering it off)
  2. Apply any firmware updates
  3. Pin-hole factory reset your device (there is a small recessed button on the back of every router that will allow you to factory reset your it, this should remove any lingering VPNFilter malware)
  4. Ensure administrative services/management interfaces are not available publically over the internet (outside your network)

Unfortunately, there is no good way to find out if your device is compromised or not. The only methods involve pouring through log files for weird inconsistencies in traffic flow, or to download a copy of the running firmware to compare against the manufacturer firmware.


Affected Devices

Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-Link Devices:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

Huawei Devices:
HG8245 (new)

Linksys Devices:
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)

Mikrotik Devices:
CCR1009 (new)
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

Netgear Devices:
DG834 (new)
DGN1000 (new)
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP Devices:
TS439 Pro
Other QNAP NAS devices running QTS software

TP-Link Devices:
TL-WR741ND (new)
TL-WR841N (new)

Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)

Upvel Devices:
Unknown Models* (new)

ZTE Devices:
ZXHN H108N (new)

Related Posts