Russian VPNFilter Router Malware Much Worse Than Thought: What to Do
Dangerous malware targets Asus, D-Link, Linksys, Netgear and other routers. You should update the firmware and reset the router. Here's how.
Remember that Russian router malware warning from last week? The situation is even worse than we originally thought, and a whole lot more router owners are going to have to factory-reset their devices and install firmware updates.
- Discover all of today's best VPN picks
Not only are many more Linksys, MicroTik, Netgear and TP-Link routers vulnerable to the VPNFilter malware, according a report today (June 6) from Cisco Talos labs, but several Asus and D-Link models are now also thought to be vulnerable, as well as a couple of Ubiquiti routers and individual Huawei, Upvel and ZTE devices. In all, nearly 70 devices are impacted, including QNAP network-attached-storage drives.
The malware itself has a previously unnoticed capability: It can stage a man-in-the-middle attack on your web traffic, altering what you see online and possibly hiding other nefarious deeds.
"They can manipulate everything going through the compromised device," a Cisco Talos researcher told Ars Technica. "They can modify your bank-account balance so that it looks normal while at the same time they're siphoning off money."
How to Protect Yourself
To really be protected from VPNFilter, you need to first fully update your router's firmware, then write down all your Wi-Fi network names and passwords, and finally factory-reset your router.
Once you've done all that, change the router's administrative username and password, then recreate the original network names and access passwords so that your Wi-Fi-enabled devices can reconnect without trouble.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Router update and reset methods vary widely from brand to brand, but we've added links to instructions where we could. The full list of models known to be affected is below.
MORE: Your Router's Security Stinks: Here's How to Fix It
To be safe, ALL routers ought to be updated and factory-reset because of the VPNFilter malware, despite that being an arduous process, because we don't know where this is going to end. (If you're wondering why we're so insistent, it's because the malware has a scorched-earth module that will brick your router on command.)
The malware seems to infect only devices that are known to have had security flaws, all of which have fixes available. If you've kept up on your router patches, or your router patches itself automatically, you probably haven't been infected. Unfortunately, there's no way of knowing for sure.
Only a factory reset will remove the malware, which contains a beachhead module that survives regular reboots; only firmware patches will prevent you from being infected again. Ten days ago, the FBI took down a server from which the beachhead module got instructions to download additional malware components, but it appears that a fallback mechanism lets the beachhead module use other sources.
Affected Routers and Support Pages
Here's the list of affected devices. Not all devices are sold in North America:
Asus RT-AC66U
Asus RT-N10
Asus RT-N10E
Asus RT-N10U
Asus RT-N56U
Asus RT-N66U
D-Link DES-1210-08P
D-Link DIR-300
D-Link DIR-300A
D-Link DSR-250N
D-Link DSR-500N
D-Link DSR-1000
D-Link DSR-1000N
D-Link support page specifically for VPNFilter
Huawei HG8245
Unofficial reset instructions; we couldn't find the firmware
Linksys E1200
Linksys E2500
Linksys E3000
Linksys E3200
Linksys E4200
Linksys RV082
Linksys WRVS4400N
MikroTik CCR1009
MikroTik CCR1016
MikroTik CCR1036
MikroTik CCR1072
MikroTik CRS109
MikroTik CRS112
MikroTik CRS125
MikroTik RB411
MikroTik RB450
MikroTik RB750
MikroTik RB911
MikroTik RB921
MikroTik RB941
MikroTik RB951
MikroTik RB952
MikroTik RB960
MikroTik RB962
MikroTik RB1100
MikroTik RB1200
MikroTik RB2011
MikroTik RB3011
MikroTik RB Groove
MikroTik RB Omnitik
MikroTik STX5
MicroTik support page, which is pretty confusing
Netgear DG834
Netgear DGN1000
Netgear DGN2200
Netgear DGN3500
Netgear FVS318N
Netgear MBRN3000
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
Netgear WNR2200
Netgear WNR4000
Netgear WNDR3700
Netgear WNDR4000
Netgear WNDR4300
Netgear WNDR4300-TN
Netgear UTM50
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
TP-Link TL-WR741ND
TP-Link TL-WR841N
Ubiquiti NSM2
Ubiquiti PBE M5
Ubiquiti firmware and documentation
Upvel -- unknown models
Upvel firmware downloads (in Russian)
ZTE Devices ZXHN H108N
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.