» ISP News » 

VPNFilter Malware Targeting More Consumer Broadband Routers

Thursday, June 7th, 2018 (9:14 am) - Score 6,659

Last month security researchers found that a sophisticated and “likely state-sponsored” malware, dubbed VPNFilter, had become widespread and was infecting business devices from Linksys, MikroTik, NETGEAR and TP-Link. Sadly the code is now also hitting kit from ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

At this stage it’s still not completely clear how the infection is getting on to routers, although most of the affected devices have publicly known vulnerabilities, which are not always convenient for the average user to patch. Outside of that most routers are directly connected to the internet and don’t contain their own anti-virus / malware systems (a firewall alone won’t cut it), which makes it difficult to defend against such a threat.

The threat itself is said to have been quietly growing since at least 2016 and there are a number of reasons why it has security experts worried. Once VPNFilter is on a router, or other vulnerable IoT (Internet of Things) device, then it’s hard to remove (some stages of it will be wiped with a reset but not all) and is used to snoop on your network, as well as to relay that data back to its controller or to insert malicious code into web traffic.

The malware is essentially an extremely clever intelligence gathering tool, albeit one that can also self-destruct and make your device completely unusable (bricked). You can get a better idea of just how clever this malware is by reading through this blog from Cisco’s Talos division and from that it’s clear that this is no ordinary infection (also check out the latest update from Talos).

The obvious advice at this point is to patch up that broadband router. Of course if you’re using a router branded to or controlled by your ISP then they’ll probably do this for you automatically (we’d assume you’re already on the latest firmware), while those with third-party kit usually have to do it themselves and may thus be more exposed.

Advice from Symantec

Q: If I own an affected device, what should I do?

A: Users of affected devices are advised to reboot them immediately. If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers.

You should then apply the latest available patches to affected devices and ensure that none use default credentials.

Q: If Stage 1 of VPNFilter persists even after a reboot, is there any way of removing it?

A: Yes. Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset.

However some reports have given conflicting advice and even Talos’s original blog appeared to indicate that a hard reset may only remove stage 2 and 3, which is why those affected may be better to hard reset and then patch (perhaps ideally while leaving the router disconnected from the internet). As usual it’s also important to ensure that you change the admin password of the router, particularly if it uses default credentials.

Sadly producing regular firmware updates and making the patching of such devices easier are two areas where there is still plenty of room for router and IoT manufacturers to make improvements, although many of them haven’t. Meanwhile ordinary non-technical consumers may lack the knowledge or patience to hunt around for the right model number and the correct software files for their kit.

Last month device users were potentially given a false sense of security by the combined recommendation to reboot devices and news that the FBI had successfully seized a domain that was being used by VPNFilter’s command and control infrastructure. This didn’t work, partly because of how adaptable the malware is to such disruption.

The bad code has continued to spread and now more devices have been found to be vulnerable, including many familiar broadband router brands and models. The following list is considered to be incomplete because it is difficult to determine specific version numbers and models in many cases.

Known Affected Devices

Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-Link Devices:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

Huawei Devices:
HG8245 (new)

Linksys Devices:
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)

Mikrotik Devices:
CCR1009 (new)
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

Netgear Devices:
DG834 (new)
DGN1000 (new)
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP Devices:
TS439 Pro
Other QNAP NAS devices running QTS software

TP-Link Devices:
TL-WR741ND (new)
TL-WR841N (new)

Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)

Upvel Devices:
Unknown Models* (new)

ZTE Devices:
ZXHN H108N (new)

* Malware targeting Upvel as a vendor has been discovered, but they are unable to determine which specific device it is targeting.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
7 Responses
  1. Ian Brown says:

    Interesting that it’s only RT-xxx variants of Asus hardware, are the DSL-xxx immune? And if so why?!

    1. Mark Jackson says:

      It may not always be possible to tell due to the limitations of testing for such things. The best advice if your device isn’t listed is to just be paranoid, assume the worst and then ensure you’re on the latest firmware.

      If you have the latest firmware on a device that is still actively supported then you’re more likely to be safe than not. VPNFilter seems to essentially be using multiple known vulnerabilities to get onto devices, rather than a single method.

  2. AndyC says:

    Are isp supplied routers affected as well?

    1. Mark Jackson says:

      As the article states, we’d expect ISP supplied routers (at least those where the ISP has remote control to update them) to be running the latest firmware and as a result they should already be protected against known vulnerabilities. We hope.

  3. Mike says:

    Seems DD-WRT routers from mid-2017 onwards should be ok.

  4. Ultrafast Dream says:

    Mark, did your source for the vulnerable devices provide any revision numbers or was it grabbed from Cisco’s blog? As far as I can recall the Netgear DGN2200 (which I am using) went through alternative chipsets as the revisions incremented, then again if it alters the OS or middleware then the chipset will be irrelevant anyway…

    Back to the Draytek and slower ADSL speeds then, aaargh!

  5. Mel says:

    I’ve posted a vulnerability test and a version of a patch I originally wrote for the Netgear DG834 series routers when I discovered a password bypass vulnerability some years ago.

    Unfortunately, I needed to modify it to work on a modern browser and have only been able to test it on a dg834n, as the other models I have are buried somewhere.


Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Ultrafast ISPs
  • Vodafone £23.50 (*26.50)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Gigaclear £24.00 (*49.00)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: ROKUGIFT
  • Community Fibre £27.50 (*32.50)
    Speed: 200Mbps, Unlimited
    Gift: First 6 Months Free
  • Virgin Media £28.00 (*52.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
New Forum Topics
Cheapest Superfast ISPs
  • Vodafone £19.50 (*22.50)
    Speed 38Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: Promo Code: ROKUGIFT
  • TalkTalk £21.00 (*29.95)
    Speed 38Mbps, Unlimited
    Gift: None
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3674)
  2. BT (3044)
  3. Politics (1975)
  4. Building Digital UK (1945)
  5. FTTC (1897)
  6. Openreach (1862)
  7. Business (1719)
  8. Mobile Broadband (1502)
  9. Statistics (1431)
  10. FTTH (1367)
  11. 4G (1295)
  12. Virgin Media (1197)
  13. Fibre Optic (1186)
  14. Wireless Internet (1176)
  15. Ofcom Regulation (1167)
  16. Vodafone (859)
  17. EE (845)
  18. 5G (793)
  19. TalkTalk (781)
  20. Sky Broadband (757)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact