The Router-Based Malware “VPNFilter” and How to Protect Yourself

Recently there’s been a somewhat worrying public service announcement from the FBI that everyone should reboot their routers. They advise to do this to prevent a nasty piece of router malware from taking hold of your hardware. Given how this is large enough for the FBI to give a public service announcement, it can be unsettling to think about what might be lurking within your router. So, what is it, and what can you do? Let’s break down this new threat to see what it is, how it works, and what you can do to protect yourself from it.

vpn-filter-fbi

The malware in question is called “VPNFilter.” Despite its innocent-sounding name, it’s anything but! Its main attack vector involves burrowing into the routers of homes and small businesses. It’s also designed to stay within the router after it has been rebooted, making it a particularly stubborn example of malware.

VPNFilter is spread by targeting routers with known flaws and weaknesses, and Ukranian-based devices are the most targeted out of all the countries. The origins of VPNFilter all point to a group called “Sofacy” that developed the code and spread it worldwide.

vpn-filter-virus

So once this new malware gets into a router, what does it do? VPNFilter is quite advanced and deploys its payload over three stages:

  1. The first stage is where the malware installs itself on a vulnerable router and sets itself up to persist even after the router has been turned off.
  2. Once the first stage is installed properly, the second stage begins. This involves installing the capacity for VPNFilter to execute commands, collect files, and manage the router. It has enough control over the router that it can permanently damage the router’s system files (known as “bricking”) on command, if need be.
  3. Once stage 2 has been properly deployed, stage 3 acts as a plugin installation on top of stage 2. Stage 3 allows the hackers to look inside the packets being passed through the router, where data is being transferred. It also grants stage 2 the ability to communicate over Tor.

When the router is powered on and off, stages 2 and 3 are wiped, but the “seed” that was set up during stage 1 persists. Regardless, the most damaging part of the VPNFilter malware is reset, which is why people have been told to do a restart on their routers.

vpn-filter-router

Not every router can be hit by VPNFilter. Symantec goes into detail on which routers are vulnerable.

To date, VPNFilter is known to be capable of infecting enterprise and small office/home office routers from Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. These include:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN”

If you own any of the above devices, check your manufacturer’s support page for updates and advice about defeating VPNFilter. Most should have a firmware update that should protect you entirely from VPNFilter’s attack vectors.

Luckily, despite the fact it sounds as if VPNFilter will be in routers forever, there are ways to get rid of it. While VPNFilter ensures it persists through the router being powered down, it can’t live through a factory reset. If you put your router through one of those, the malware will get caught up in the wipe and effectively be scrubbed out of your router.

Once done, be sure to change your network credentials and disable remote management settings as well. Your details may have been leaked out in the attack, and preventing remote access can stop a future attack from reaching your home PCs and devices.

While VPNFilter is a nasty piece of kit that has elevated itself to the interest of the FBI, it’s not unbeatable! By doing a factory reset, you can clear your router of any malware. Plus, if your manufacturer has pushed out an update, you can avoid being infected again later down the line.

Does VPNFilter affect you in any way? Let us know below.

Image credit: Router, closeup of a wireless router and a man using smartphone on living room at home ofiice by Casezy idea/Shutterstock

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.