500,000 home routers have been infected with VPNFilter, malware that steals data and bricks devices

I don’t know of anyone that has a neat answer to the one that included audio support(Airport Express, I think?); presumably because, while tacking an audio out onto just about any router SoC that has USB or i2s would be trivial; having it work as a feature without having iTunes’ install base to work with is much less trivial); but the rise of the ‘semi-pro’/‘hungry upstart pro’ gear makes the difference in quality between Apple’s offering and ye olde basic cheapie somewhat less relevant than it used to be(presumably part of the reason why Mr. Cook recently took that product out back and terminated it…)

Going full “enterprise” isn’t really an option, the bump in cost is just too high(and if you need a support contract to get firmware updates it might not even help); but something at the Ubiquity level, while rather more expensive than the cheap seats, is way, way more accessible than Cisco and pals.

1 Like

Does anyone have a handy timeline of the major exploits that have been found over the last several years?

D-Link isn’t listed as vulnerable, but that doesn’t fill me with happy confidence. My router firmware is dated 2013/04/11, it went out of “support” in 2017, and in that time there were no updates. My previous ADSL Speedtouch modem was dated 2005 or so.

So much consumer-grade network hardware is thrown in the box and immediately forgotten about by the makers, but it’s all still out there like lost landmines.

1 Like

I used the AirPort Express’s audio jack without iTunes for several years, but Chromecast has ultimately proven to be a better, simpler and cheaper alternative.


"The move effectively kills the malware’s ability to reactivate following a reboot, said Vikram Thakur, technical director at Symantec, who confirmed to the Daily Beast that the domain was taken over by law enforcement on Wednesday, but didn’t name the FBI. “The payload itself is non-persistent and will not survive if the router is restarted,” Thakur added. “That payload will vanish.”

“In other words, average consumers have the ability to stop Russia’s latest cyber attack by rebooting their routers, which will now reach out to the FBI instead of Russian intelligence. According to the court filings, the FBI is collecting the Internet IP addresses of every compromised router that phones home to the address, so agents can use the information to clean up the global infection.”

1 Like

So they disconnected the botnet Command and Control, but now Russia and the US have a list of the compromised routers.

That kill switch does seem like a good option.

1 Like

You mean these don’t have vulnerabilities? How do they help? (Honest question)

I’m still waiting to learn of a way to detect the presence of VPNFilter malware on a Linux based router.
Any word on if VPNFilter can infect BSD based routers? PFSense is still my favorite router distro.

1 Like

It’s like malware on PCs. If you run Windows, there’s tons of malware just itching to take over your machine. if you run Linux or MacOS, you have placed yourself in the minority, and that means far fewer bad actors are going to target you. Alternative router firmware is the Linux of router OS’s. That’s reason one.

Reason two, open firmware projects (at least those that are still actively maintained) will get updates, whereas the manufacturer of your router stopped issuing updates as soon as corporate legal told them they could get away with it.

For instance, the factory firmware on this Linksys WRT54GL that I’m getting ready for my mother is a decade old, but I can download a build of DDWRT for it from this year that fixes the KRACK wifi vulnerability from last fall, along with god knows how many other vulnerabilities discovered since 2008.

1 Like

I would add just one more thing: bricking a whole bunch of devices would be a one-off intended to serve a specific political or military purpose. All that harvested data would just be a lovely bonus. So half a million routers would only be a small fraction of the level of infection the perpetrators were hoping for.

It doesn’t make much sense to drop a half-built bomb.

I was wondering if they planned to step-up a deadman switch if the C&C was taken down but I guess they didn’t get around to tha


The media willingness to attribute all malware to Vladimir Putin (despite researchers who don’t have a track record of lying about attribution for political purposes typically being unwilling to make such attribution based on evidence) is certainly providing strong support for Internet censorship.

I have a Netgear WNR2000 , squarely in the target. Very easy to upgrade the BIOS, just do it.

Looking at the router logs, I’m surprised to see a ton of port scans from odd IP addresses. They’re out there.

Ya I checked, none of my routers are on the list so idfc lol. Kinda makes you wonder why though they would build in a brick switch and not use it like you said. You could just as easily whitelist the US and block everything else if you were paranoid.

The Feds don’t like to admit that they wen’t around unlocked everyone’s back door.

Malware that steals data and bricks devices? Isn’t there already something doing this to a lot more than 500,000 machines? It’s called “Windows 10”?

1 Like

Great details here:

1 Like

Most routers are already running BusyBox.

Oh, man. +1000 to this. I recently upgraded all my home network equipment (save for a couple of “dumb switches” to Ubiquiti hardware. It wasn’t cheap but it’s absolutely worth it. I replaced my shitty FiOS router with their gateway, collapsed my 4 WiFi networks into one, and have excellent monitoring and secure remote management tools through their controller and app. Best of all it’s well supported and frequently updated.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.