Not all routers are affected, and what steps to take will vary depending on what router you have. The good news appears to be that if you’ve already followed best router safety practices and changed the admin password, your router may well be immune.
The problem? There’s no way to confirm that your router is or is not impacted. What you need to do, if anything, varies depending on the router you have.
Become a Patron of Ask Leo! and go ad-free!
Routers are nothing more than single-purpose computers. They generally run a version of Linux, though that’s normally not evident. The software running on the router performs its various functions, from routing data packets across various network connections to providing the administrative interface that you and I use to configure the device.
VPNFilter is malware that infects the router. It’s fairly sophisticated, and made up of three separate stages. Once infected, the first stage can survive a reboot, and acts as a boot loader for the subsequent stages, which perform malicious activity.
The malicious activity could be just about anything, but there are generally two areas of concern:
- The router can be remotely controlled to act as a spambot, or participate in a distributed denial of service (DDOS) attack.
- The router acts as a “man in the middle”, examining the data you send to and receive from various websites. In the worst case, it could capture usernames and passwords. In the absolute worst case, there is concern that it could intercept https connections.
Needless to say, it’s worrisome malware and has made headlines of late.
Exactly what you need to do is unclear, and worst, potentially ineffective.
See if you’re known to be impacted
Various articles include specific list of router manufacturers and models that are known to be vulnerable. As of this writing, the Ars Technica article VPNFilter malware infecting 500,000 devices is worse than we thought has a good list.
You can identify your router’s manufacturer and model number by looking either at the device itself or in the administration software. I can’t tell you exactly where to look, since this will vary from manufacturer to manufacturer and model to model. (This will be a common theme.)
If your router is on the list, that doesn’t mean it is infected; it simply means it may be vulnerable. Particularly if you’ve never changed the administrator password on the device, you’ll want to act as if it is, however.
If you don’t find your router on the list, the chances of being infected are lower, but sadly, not zero. As that article explains, more impacted router models were discovered after the initial malware discovery. It’s possible the list will grow over time.
Rebooting the router
The United States FBI has been advising you reboot your router.
If your router is infected, rebooting will not remove the malware. As I mentioned above, if it’s present, the malware persists across reboots. Rebooting just reverts the malware to “stage 1”, which does nothing more than attempt to load stages two and three.
The act of loading stages two and three may allow security researchers to identify their source more clearly, with the goal of shutting them down. It’s never as simple as locating a single server or source, but hopefully they’ll be able to identify the approach being used to distribute those additional stages.
My assumption is that if stages two and three can be shut down or prevented, stage one would someday become inconsequential and benign.
Until that happens, an infected router will become re-infected even across a reboot. I can’t tell you how quickly, how often you might want to reboot your router, or even whether repeated reboots are advisable.
Check with your router manufacturer or vendor
The manufacturer of your router should be the canonical source of information about how VPNFilter affects their device. They should have a determination of which of their devices are impacted, and what to do if they are.
I say “should” because this is also one of those things that will vary from one device manufacturer to another. Some will be on top of it, and others not so much.
Many routers are provided by ISPs and locked down in such a way that you may not have the access you need to take recommended actions. All you can do in that case is contact your ISP for guidance.
Exactly what your router manufacturer will advise will vary, once again depending on the manufacturer and model. Options range from doing nothing — you’re not impacted — to resetting the router to factory settings (which seems to remove even stage one on most routers) and then immediately changing the administrative password.
In almost all cases, you’ll want to keep an eye out for upgraded router firmware correcting the original vulnerability that allowed all this to happen.
Keep your router secure
I’ve not found absolute confirmation, but it appears that the most vulnerable routers are those whose administrator password has not been changed and/or have remote administration enabled.
Honestly, that’s not surprising.
Regardless of the specifics of your router, fix that now, if you haven’t already. If you review 7 Steps to a Secure Router (which I recommend you do), you’ll see that changing the admin password and disabling remote administration are steps one and two.
The best advice I can offer specifically related to VPNFilter is to keep an eye on your router’s manufacturer for more information relating to your specific router. Hopefully, they’ll be able to clearly tell you exactly what — if anything — you need to do.