New Vpnfilter analysis: modules attack router owners and target industrial control systems; reinfection still possible, more routers vulnerable

Originally published at:


What is missing is a quick downloadable app that a home user can run that will definitively tell them whether their router is infected with the VPNFilter virus. Until a user has the tools to detect an infection, articles like this just encourage blind panic - Reboot your router now!!! Throw away old routers!!! Restore factory settings!!! Is your router model on our ever-expanding list? Find out now!!! We need that app. Are you listening antivirus developers???


It was dumb advice to start with. Killing the current command & control does little while the kompromat sleeper devices are still out there.

“The woods are lovely, dark, and deep, but I have promises to keep. And miles to go before I sleep. Remember, (TP-Link), miles to go before you sleep.”


For the most part I don’t think I would trust devices made by the large home router manufacturers to put directly on the internet and just use Linux with iptables for a router.

At t he very least I know I can keep that up to date easily.

Really surprised to see Ubiquiti on that list.


Throw away old routers!!!

Probably not a bad idea, most all of them are so badly made and not keep up to date.

I would suggest running either your own linux based router that is kept up to date or going with something like googles offering that they keep updated.

The likes of Cisco/D-Link just don’t seem to have updating in their dna and treat these things as commodity boxes to throw out into the market place and ignore. Hell, Cisco was always great for the whole “You want updates? Pay us a contract and we’ll talk” attitude.

Really sad state we are in.


My router isn’t a target, and the only potentially vulnerable device I have, a Qnap NAS, is up to date enough to be safe. I’ll install and run the Malware Remover app, just to be sure.

Do I need to worry if I have a router on the list but am running Tomato instead of stock firmware?

What if I have a router on that list (with stock firmware) but only use it as an access point behind another router (with all routing functionality disabled)?

If you want a definite answer about the presence of absence of infection the antivirus industry is not a likely choice.

They aren’t totally useless; but they are solidly outgunned and forever playing catch-up.

Does anyone know what the primary attack vector is?

It would be helpful to know if using common sense measures such as disabling WAN-side management and shutting off unused ports/protocols/services is preventative.

1 Like

Unfortunately, tech being what it is, some scammer will come along with “Check your router to see if it’s infected - just go to totallynotashadyscammersite dot ru and DOWNLOAD IT NOW!”

I think if you’re already compromised then turning off WAN-side management s still not enough. From the latest Talos update:

We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device.

Hard to say. You might want to look at how old your build of Tomato is, and if there are more recent ones available.

Reducing attack surface by putting behind another router might be good, but since there has been no information about the initial exploit, who knows?

More troubling, while the names of manufacturers whose routers can be compromised has been published, I don’t think any of the manufacturers have said that “they’re looking into it for older models” (= SOL), but that their current model is safe.

i.e. buying the latest model is no guarantee that it’s proof against the attacks.

1 Like

I was surprised by this as well. For now it’s just two specialized devices. Based on past experiences with their stuff, I would expect them to provide some sort of mitigation/patch within a brief period of time.

What’s really annoying is that nothing I’ve read so far has explained what the actual goddamn attack vector is.


So it’s not just me whose found all the reporting on this thing to be incredibly vague as to what the actual vulnerability is… Sigh.

Looks like I’m a few versions behind in my Tomato updates so I guess that’s another thing to add to my to-do list.

This topic was automatically closed after 5 days. New replies are no longer allowed.