How to Fix: VPNFilter Router Malware (And Test if Vulnerable)

Infopackets Reader Gord F. writes:

" Dear Dennis,

I have heard from the media and some friends that I should reboot my router due to Russian malware that is infecting routers. I have done some research on the subject and the story made headlines back around May 29, 2018, followed by more updates to suggest that the VPNFilter Router Malware is much worse than originally thought. I have checked and mine does not seem to be on the list of affected routers. What should I do now? "

My response:

From what I understand, the VPNFilter Router Malware affects routers made by Cisco and Linksys, MikroTik, NETGEAR, and TP-Link. Also, some QNAP NAS boxes are also vulnerable to infection. I will provide a full list further down.

Affected routers are especially vulnerable if the default user name and password for the router administration page has not been changed. Most all routers typically ship with a default user name and password (example: user: admin, password: admin). That said, hackers are able to bypass the router administration user and password (even if you did change it) as long as the router has not been patched against this exploit - and ONLY if firmware is available.

How VPNFilter Router Malware Works

The router malware has three stages.

In the first stage, hackers are able to extract your IP address; this stage is not malicious. In the second stage, hackers are able to sniff your router packets (also known as "data exfiltration") and dump a payload onto your network for remote code execution. At this stage, hackers can also brick your router by remote if they wanted to.

In the third and final stage, the router is controlled by remote, malicious servers. In this stage, the router can relay your data to a third party (also known as a "man-in-the-middle attack"), which can then alter your web traffic and redirect you to malicious websites, among many other nefarious things.

How to Fix: VPNFilter Router Malware (And Test if Vulnerable)

Media, as well as the FBI have suggested rebooting the router to temporarily fix the issue. The keyword here is temporary.

The truth of the matter is that rebooting an unpatched router is similar to rebooting a unpatched computer. Once the router (computer) reboots, it reloads the operating system (firmware) from the beginning. Since the router is not patched, it means it is still vulnerable, so infection can still take place at any time - perhaps instantly even after it is rebooted.

Therefore, the ONLY way to fix this problem is to update the router with firmware specifically designed to fix this flaw. To do so, you would have to visit your router's firmware page (provided by the manufacturer's website, also listed further down the page). The firmware date would most likely be sometime after May 29, 2018 and would likely mention the "VPN Filter Malware flaw" somewhere in the description. If it does not, then it most likely does not fix the issue - but there are also other options, described below.

What to do if No Firmware Upgrade is Available

If your router is an older unit, chances are it is vulnerable because new router exploits are discovered all the time. That said, oftentimes older routers won't receive firmware updates because hardware companies no longer support these devices (because they favor newer models). Even so, sometimes hardware companies won't release firmware updates even if it is a newer model and it's still supported.

Therefore, you have three options:

• Option #1: You can wait for the router company to release firmware. This may take weeks, months, or may never happen. In the mean time, you're vulnerable.
   
• Option #2: You can upgrade your router to use open source DD-WRT firmware or Open WRT firmware. This option has pros and cons. First, both these firmware options are provided by third parties and are therefore not supported by the original router manufacturer; as such, it will void your warranty. Second, updating firmware on any device comes with risk of bricking the router if the upgrade fails and/or is not done properly. Now for the Pros: the firmwares are up to date and protect you against router malware.
   
• Option #3: Buy a new router. This can be tricky because most routers out of the box are going to be vulnerable because the exploit was only recently discovered. Therefore you would have to research router models (using Amazon, for example), then go to the manufacturer's website to see if a router firmware update is available. You can also go to the DD-WRT or Open WRT websites to see if that particular router is supported using open source firmware.

VPNFilter List of Affected Routers

Here is a list of known affected routers; note that not all devices are sold in North America.

You can also check your router for the vulnerability using Symantec's VPNFilter check - described further down.

• Asus: Asus RT-AC66U, Asus RT-N10, Asus RT-N10E, Asus RT-N10U, Asus RT-N56U, Asus RT-N66U, Asus support page
   
• D-Link: D-Link DES-1210-08P, D-Link DIR-300, D-Link DIR-300A, D-Link DSR-250N, D-Link DSR-500N, D-Link DSR-1000, D-Link DSR-1000N, D-Link support page specifically for VPNFilter
   
• Huawei: Huawei HG8245, Huawei unofficial reset instructions
   
• Linksys / Cisco: Linksys E1200, Linksys E2500, Linksys E3000, Linksys E3200, Linksys E4200, Linksys RV082, Linksys WRVS4400N, Linksys support page
   
• MikroTik: MikroTik CCR1009, MikroTik CCR1016, MikroTik CCR1036, MikroTik CCR1072, MikroTik CRS109, MikroTik CRS112, MikroTik CRS125, MikroTik RB411, MikroTik RB450, MikroTik RB750, MikroTik RB911, MikroTik RB921, MikroTik RB941, MikroTik RB951, MikroTik RB952, MikroTik RB960, MikroTik RB962, MikroTik RB1100, MikroTik RB1200, MikroTik RB2011, MikroTik RB3011, MikroTik RB Groove, MikroTik RB Omnitik, MikroTik STX5, MicroTik support page
   
• Netgear: Netgear DG834, Netgear DGN1000, Netgear DGN2200, Netgear DGN3500, Netgear FVS318N, Netgear MBRN3000, Netgear R6400, Netgear R7000, Netgear R8000, Netgear WNR1000, Netgear WNR2000, Netgear WNR2200, Netgear WNR4000, Netgear WNDR3700, Netgear WNDR4000, Netgear WNDR4300, Netgear WNDR4300-TN, Netgear UTM50, Netgear support page
   
• QNAP: QNAP TS251, QNAP TS439 Pro, Other QNAP NAS devices running QTS software, QNAP firmware download page
   
• TP-Link: TP-Link R600VPN, TP-Link TL-WR741ND, TP-Link TL-WR841N, TP-Link support page
   
• Ubiquiti: Ubiquiti NSM2, Ubiquiti PBE M5, Ubiquiti firmware and documentation
   
• Upvel: unknown models, Upvel firmware downloads (in Russian)
   
• ZTE: ZTE ZXHN H108N, ZTE support page

Is Your Router Vulnerable? Check with 1 Click

The list above may change at any time; also, older routers may be vulnerable simply because they are using older firmware. Therefore we suggest you visit the Symantec website to run a VPNFilter vulnerability check. When you're done scanning your router, come back to this page.

Additional 1-on-1 Support: From Dennis

If your router is affected by the VPNFilter malware and you need help patching it, I can help using my remote desktop support service. Simply contact me, briefly describing the issue and I will get back to you as soon as possible.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question -- or even a computer problem that needs fixing -- please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.