Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

What Should I Do About the VPNFilter Router Exploit?

Malware known as VPNFilter is infecting routers world-wide. Depending on what you read, hundreds of thousands, if not millions, of routers are impacted.

Not all routers are affected, and what steps to take will vary depending on what router you have. The good news appears to be that if you’ve already followed best router safety practices and changed the admin password, your router may well be immune.

The problem? There’s no way to confirm that your router is or is not impacted. What you need to do, if anything, varies depending on the router you have.

Become a Patron of Ask Leo! and go ad-free!

VPNFilter

Routers are nothing more than single-purpose computers. They generally run a version of Linux, though that’s normally not evident. The software running on the router performs its various functions, from routing data packets across various network connections to providing the administrative interface that you and I use to configure the device.

VPNFilter is malware that infects the router. It’s fairly sophisticated, and made up of three separate stages. Once infected, the first stage can survive a reboot, and acts as a boot loader for the subsequent stages, which perform malicious activity.

RouterThe malicious activity could be just about anything, but there are generally two areas of concern:

  • The router can be remotely controlled to act as a spambot, or participate in a distributed denial of service (DDOS) attack.
  • The router acts as a “man in the middle”, examining the data you send to and receive from various websites. In the worst case, it could capture usernames and passwords. In the absolute worst case, there is concern that it could intercept https connections.

Needless to say, it’s worrisome malware and has made headlines of late.

Exactly what you need to do is unclear, and worst, potentially ineffective.

See if you’re known to be impacted

Various articles include specific list of router manufacturers and models that are known to be vulnerable. As of this writing, the Ars Technica article VPNFilter malware infecting 500,000 devices is worse than we thought has a good list.

You can identify your router’s manufacturer and model number by looking either at the device itself or in the administration software. I can’t tell you exactly where to look, since this will vary from manufacturer to manufacturer and model to model. (This will be a common theme.)

If your router is on the list, that doesn’t mean it is infected; it simply means it may be vulnerable. Particularly if you’ve never changed the administrator password on the device, you’ll want to act as if it is, however.

If you don’t find your router on the list, the chances of being infected are lower, but sadly, not zero. As that article explains, more impacted router models were discovered after the initial malware discovery. It’s possible the list will grow over time.

Rebooting the router

The United States FBI has been advising you reboot your router.

If your router is infected, rebooting will not remove the malware. As I mentioned above, if it’s present, the malware persists across reboots. Rebooting just reverts the malware to “stage 1”, which does nothing more than attempt to load stages two and three.

The act of loading stages two and three may allow security researchers to identify their source more clearly, with the goal of shutting them down. It’s never as simple as locating a single server or source, but hopefully they’ll be able to identify the approach being used to distribute those additional stages.

My assumption is that if stages two and three can be shut down or prevented, stage one would someday become inconsequential and benign.

Until that happens, an infected router will become re-infected even across a reboot. I can’t tell you how quickly, how often you might want to reboot your router, or even whether repeated reboots are advisable.

Check with your router manufacturer or vendor

The manufacturer of your router should be the canonical source of information about how VPNFilter affects their device. They should have a determination of which of their devices are impacted, and what to do if they are.

I say “should” because this is also one of those things that will vary from one device manufacturer to another. Some will be on top of it, and others not so much.

Many routers are provided by ISPs and locked down in such a way that you may not have the access you need to take recommended actions. All you can do in that case is contact your ISP for guidance.

Exactly what your router manufacturer will advise will vary, once again depending on the manufacturer and model. Options range from doing nothing — you’re not impacted — to resetting the router to factory settings (which seems to remove even stage one on most routers) and then immediately changing the administrative password.

In almost all cases, you’ll want to keep an eye out for upgraded router firmware correcting the original vulnerability that allowed all this to happen.

Keep your router secure

I’ve not found absolute confirmation, but it appears that the most vulnerable routers are those whose administrator password has not been changed and/or have remote administration enabled.

Honestly, that’s not surprising.

Regardless of the specifics of your router, fix that now, if you haven’t already. If you review 7 Steps to a Secure Router (which I recommend you do), you’ll see that changing the admin password and disabling remote administration are steps one and two.

The best advice I can offer specifically related to VPNFilter is to keep an eye on your router’s manufacturer for more information relating to your specific router. Hopefully, they’ll be able to clearly tell you exactly what — if anything — you need to do.

Play

Video Narration

11 comments on “What Should I Do About the VPNFilter Router Exploit?”

  1. A few months before this exploit was announced, I had attempted to enter my router — as I have done many times before — to change a certain setting. I was unable to get into it using my correct (long) password. My ISP has either intentionally or by mistake made it impossible for users to access their routers given to them by the ISP which they have bought out. The only “remedy” advice I was able to find online was to “reset” the router by unplugging it, and that had the result that I was still unable to access the router settings screen. Although I’ve been unable to get into the settings, the “remedy” advice stated that unplugging it resets the password to “password”. To make things even worse, I followed the FBI advice to do the same thing, unplug the router again, which was supposed to remove this exploit. So now, my concern is whether it is certain that I’m without my (long, unique) password. Apparently the only way to find out is contact the company and I’ve found by experience this is usually nothing but frustration.

    • I can’t say this is true for your router but I’ve had several routers and reset them all several times and the password has never been reset. Some routers have a password reset button which you have to use a paper clip to reset the password. I can’t believe that any router would reset the password to the factory default simply by unplugging the router.

      • Usually reset to factory requires something else — like a long press of a hidden button. But that then does typically reset the password to factory default as well.

        • Many router reset is not simply pulling the plug and rebooting. As I have found out and used to now, pull the power-plug out of the back (or side, depending on your manufacturer) press and hold the reset button in then insert the power-plug. Your router will be restored to Default factory settings. From there you can setup your router as if it were (out-of-the-box) new.

          Thanks Leo, great job.

      • Oh snap, now that you mention it, I believe I did push that hidden button with the paperclip to reset it when first could not get into it. Sorry for the confusion 😉

  2. Leo, we owe you too much for these articles, been reading for years. After reading this one, checked on my Technicolor C1100T – guess what?

    THE ADMIN PASSWORD HAD BEEN SET BACK TO DEFAULT!!! When this happened, and HOW LONG this had been this way…anyway, will do more regular checkups. Changed it again with LastPass (thanks for that recommend years ago, Leo, it still works for me), and reset the Security Key also, which had ALSO been set back to default.

    Thanks again, Leo, for all you do for us. Let’s not forget about him either, folks!

  3. What about laptops? Don’t laptops have built-in routers? Are laptops vulnerable to this malware as well, and if so, what can I do to protect my laptop?

    • Laptops have built in wireless LAN cards. Those are different from routers. Wireless LAN cards connect to the router. They are not vulnerable to this malware but they are vulnerable to thousands of other kinds of malware.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.