Half a million routers and NAS devices are infected with VPNFilter, serious malware that can spy on network traffic and even survive a reboot.
VPNFilter can only be completely removed with either a software update or a factory reset of the router. The motivations for this malware aren’t clear, but according to a Cisco blog post it’s particularly prevalent in Ukraine.
Symantec said in a blog post that VPNFilter is primarily targeting home and small business routers. Here’s a list of devices known to have been infected:
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- P-Link R600VPN
If you have one of these you should consider doing a factory reset. As we’ve outlined before this usually means holding down the “Reset” button for 10 seconds, but the exact instructions will vary depending on your router. Note that you’ll lose all of your custom settings by doing this, meaning you’ll need to configure everything again.
Be sure to make sure your router is getting security updates after the factory reset, to prevent more infections in the future. Your router is the entry point to your home network, after all, so you want to make sure it’s secure.
Update: The FBI seized a domain related to this malware and is recommending users reboot their routers, change their admin passwords, and disable remote administration. This won’t remove the malware completely but should prevent the attackers from activating it.