VPNFilter Malware Targeting More Consumer Broadband Routers

Last month security researchers found that a sophisticated and “likely state-sponsored” malware, dubbed VPNFilter, had become widespread and was infecting business devices from Linksys, MikroTik, NETGEAR and TP-Link. Sadly the code is now also hitting kit from ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

At this stage it’s still not completely clear how the infection is getting on to routers, although most of the affected devices have publicly known vulnerabilities, which are not always convenient for the average user to patch. Outside of that most routers are directly connected to the internet and don’t contain their own anti-virus / malware systems (a firewall alone won’t cut it), which makes it difficult to defend against such a threat.

The threat itself is said to have been quietly growing since at least 2016 and there are a number of reasons why it has security experts worried. Once VPNFilter is on a router, or other vulnerable IoT (Internet of Things) device, then it’s hard to remove (some stages of it will be wiped with a reset but not all) and is used to snoop on your network, as well as to relay that data back to its controller or to insert malicious code into web traffic.

The malware is essentially an extremely clever intelligence gathering tool, albeit one that can also self-destruct and make your device completely unusable (bricked). You can get a better idea of just how clever this malware is by reading through this blog from Cisco’s Talos division and from that it’s clear that this is no ordinary infection (also check out the latest update from Talos).

The obvious advice at this point is to patch up that broadband router. Of course if you’re using a router branded to or controlled by your ISP then they’ll probably do this for you automatically (we’d assume you’re already on the latest firmware), while those with third-party kit usually have to do it themselves and may thus be more exposed.

Advice from Symantec

Q: If I own an affected device, what should I do?

A: Users of affected devices are advised to reboot them immediately. If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers.

You should then apply the latest available patches to affected devices and ensure that none use default credentials.

Q: If Stage 1 of VPNFilter persists even after a reboot, is there any way of removing it?

A: Yes. Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset.

However some reports have given conflicting advice and even Talos’s original blog appeared to indicate that a hard reset may only remove stage 2 and 3, which is why those affected may be better to hard reset and then patch (perhaps ideally while leaving the router disconnected from the internet). As usual it’s also important to ensure that you change the admin password of the router, particularly if it uses default credentials.

Sadly producing regular firmware updates and making the patching of such devices easier are two areas where there is still plenty of room for router and IoT manufacturers to make improvements, although many of them haven’t. Meanwhile ordinary non-technical consumers may lack the knowledge or patience to hunt around for the right model number and the correct software files for their kit.

Last month device users were potentially given a false sense of security by the combined recommendation to reboot devices and news that the FBI had successfully seized a domain that was being used by VPNFilter’s command and control infrastructure. This didn’t work, partly because of how adaptable the malware is to such disruption.

The bad code has continued to spread and now more devices have been found to be vulnerable, including many familiar broadband router brands and models. The following list is considered to be incomplete because it is difficult to determine specific version numbers and models in many cases.

Known Affected Devices

Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-Link Devices:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

Huawei Devices:
HG8245 (new)

Linksys Devices:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N

Mikrotik Devices:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

Netgear Devices:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP Devices:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software

TP-Link Devices:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)

Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)

Upvel Devices:
Unknown Models* (new)

ZTE Devices:
ZXHN H108N (new)

* Malware targeting Upvel as a vendor has been discovered, but they are unable to determine which specific device it is targeting.