Last week the Justice Department issued a statement that owners of SOHO and NAS routers may be infected and should reboot their devices as soon as possible.  The warning was issued in an effort to disrupt a massive malware botnet and increase the chances of identifying and remediating the world wide infection.

The infectious malware has been identified as VPNFilter, a multi-staged piece of malware that has the potential to permanently disable an infected router.  The malware functions as follows: Stage 1 sets up the connection to a router and paves the way for the infection.  Stage 2 is where the actual infection occurs and has more advanced capabilities such as data collection, command execution, device management and even self-destruction.  Stage 3 works to supplement Stage 2 deployment and can further enhance its capabilities by allowing the malware to spy on web traffic and steal security credentials.

VPNFilter is unique among router malware in that it is able to persist after a device reboot.  Rebooting the device only removes stage 2 and 3 of the infection; this means that while the dangerous portion of the infection is disables, it could be reactivated by the attackers at any time.  The Justice Departments goal in recommending a reboot ultimately had more to do with disrupting the infection network so that its origin could be identified and eventually shutdown.

Netgear has issued its own statement strongly advising all Netgear router owners to update their router firmware; make sure the default password is not still in use; and make sure remote management is turned off on the router.  Routers with known vulnerabilities are listed below.

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • MikroTik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

If you are unsure how to update your router firmware or how to check your settings yourself, please contact your IT provider.  Changes to your router settings could negatively affect your ability to connect to the internet.