Among other Ars Technica is now reporting a new type of dangerous malicious software that has infected hundreds of thousands of routers worldwide. The software is called VPNFilter and was investigated by the router manufacturer Cisco intelligence department Talos, reporting the findings on its blog.
According to Cisco, VPNFilter has infected around 500,000 routers in at least 54 countries.
The software is described as so sophisticated that investigators believe the hackers behind are linked to government agencies.
There are routers manufactured by, among others, Linksys, MicroTik, Netgear and TP-Link that are affected by the malicious software, as well as NAS devices from QNAP. However, Cisco's own products should not be affected. Symantec, also referring to the software, has published a list of models that have been affected, but this list is not necessarily complete.
Can cut the network connection
According to Talos, VPNFilter can be used to collect data passing through the router, and in addition it has destructive properties by virtue of being able to shut down routers completely. The latter feature may potentially be utilized to cut Internet access to hundreds of thousands of users worldwide, which makes the researchers believe makes the software extra worrying.
On the technical side, VPNFilter is described as a multi-stage modular software. The first step establishes a footer on the device that is used to download the next step and must have the rare property that it survives the reboot.
The second step constitutes the main burden and features that Talos says is comparable to extensive intelligence platforms, such as file retrieval, command execution, data extrusion and device management.
This step also consists of a component that is capable of overwriting critical parts of the firmware in the device and restarting it, thus permanently disconnecting the device. This property should be able to be executed via commands from the hackers who have taken control of the router.
Still under investigation
In addition to these two steps, a third step has also been discovered, which is used as "extensions" to the second step, which gives the software additional features. Among these, modules that collect credentials from web pages and a module that enables the second step of the software to communicate over the Tor network has been discovered.
Just how the devices have been infected is still unclear, and the investigation is still under way to determine which vulnerabilities have been exploited. Users who may be at risk are advised to reset the devices to their factory settings and then restart them.
In addition, one should also ensure that the latest firmware is installed and that the default login login password on the device has been replaced with a password that is hard to guess.
Here is the Symantec list of affected routers:
Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
Are you hit? Restart the router
In the US, the Security Department has issued a warning to users of the mentioned routes to reboot the device. This will put a temporary stop on the malicious software, as two of the three steps will be deleted.
However, as mentioned, the first "step" will continue to persist. That malicious software like this survives a reboot is extremely rare.
If you want to completely remove the software, you will have to reset the router to factory settings. This will remove all malware, including the first step.