UPDATE: FBI recommends you reboot your router now to stop VPNFilter malware - more devices affected

If you needed a reason to upgrade to DD WRT or maybe a PfSense router… this is it.

List of affected routers known so far:

Asus Devices:
RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-Link Devices:
DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

Huawei Devices:
HG8245 (new)

Linksys Devices:
E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N

Mikrotik Devices:
CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

Netgear Devices:
DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP Devices:
TS251
TS439 Pro
Other QNAP NAS devices running QTS software

TP-Link Devices:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)

Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)

UPVEL Devices:
Unknown Models (new)

ZTE Devices:
ZXHN H108N (new)

This is a multi part infection and rebooting gets rid of two of the three components. The only persistent part looks for a specific web address to attempt to re-infect with the other parts after a reboot.

Instructions for removal here.

3 Likes

What if we have a Netgear R8000… With custom firmware and OS?

It doesn’t say anything about DDNS, which is nice.

1 Like

Good thing I just switched from my R7000 to a pfSense S3100 :rofl:

Although, shit. I think one of my customers has that model of linksys.

2 Likes

I think my router may be too old to target for anything… :thinking:

https://www.ic3.gov/media/2018/180525.aspx

archived at https://archive.fo/YHjTN

The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.

Edit: I am not sure if It belongs in networking hardware or in off topic. Please move it if necessary.

I didn’t see it posted so I thought I would post it here for visibility.

To be clear, I don’t think rebooting will actually help you. Apparently, it is just to help them identify infected devices. I don’t know how. Any ideas?

2 Likes

Supplementary news articles

‘VPNFilter’ malware details

The Wikipedia entry

(Currently evolving) Contains a list of affected devices

I will re-list them here:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN
6 Likes

I wonder if I should reboot our WRT54G?

Put OpenWRT on that WRT54 ! :stuck_out_tongue:

4 Likes

Anyone else suspicious as hell that the incompetent FBI is the one on top of this?

Before anyone starts flagging and crying, I’m not talking about anything political, they’ve been a blunt tool of the government long before November 2016.

NSA or CIA must have tipped them off.

Also, suspicious that “malware” has hit every major router and the FBI is the only one to notice?

:thinking:

3 Likes

Let me put my tinfoil hat on.

_/=\
:thinking:

Or immediately blame those Russians.

2 Likes

Lol yeah. You know how you create Russian Malware? Change your keyboard format

2 Likes

Except they’re not. Cisco’s Talos group and Symantec researchers are the ones that found this.
FBI are just the legal authority that got called after the fact.

They’re now the ones left throwing the bag of poo around in a game of hot potato.

4 Likes

Nice to see Asus not making the list- had been rocking a rt-ac68u before going pfSense and I have nothing but great things to say about it. They have had their bad moves on some features, but they fix it. Then again maybe it didn’t make the list because its simply not as common- just not worth their while.

There is/was some sort of vulnerability with ASUS router if you have ever used android app to control it.(or possibly if you have asus ai services enabled) It automatically opens ports to the world for hackers to exploit.

Also, I wouldn’t trust what FBI says. Especially since they claim its the same people who allegedly hacked the US election.

Surprised to see Mikrotik on that list.

I see Netgear 6400 on that list, I wonder if it also affects the 6040’s?

I guess, I should be looking for a new router then. Because from what this says, it’s on there permanently.

Isn’t it for the old versions of their RouterOS?

They supposedly addressed how wide open the ai service was- and yeah the “dmz” option is a joke too, but for the price and Target demographic, apples to apples, imo Asus is one of the better ones.

Stop throwing facts around in an attempt to distract people from their deep state conspiracy theories. It’s frowned upon on these parts.

3 Likes