VPNFilter is a current malware designed to infect routers. As of 24 May 2018, it is estimated to infect approximately 500,000 to 1,000,000 routers worldwide. It can steal data, contains a “kill switch” designed to destroy the infected router on command, and is able to persist should the user reboot the router. The FBI believes that it was created by the Russian Fancy Bear group. Wikipedia has a great page about the malware here.

What is happening

The malware uses default credentials to infect the machines, meaning that it can be avoided by changing passwords and other security on devices. The malware exploits default login credentials on these consumer router devices.

It operates in 3 stages:

  1. install itself and remain installed even when the router is rebooted
  2. allows attackers to run commands and steal your data
  3. advanced plugins for sniffing etc.

While stage 1 will run again after a router is rebooted, stage 2 and 3 will not, as pointed out here. For this reason, the FBI has suggested that everyone reboot their router in order to disable stage 2 and stage 3 and to also allow the FBI to get a list of infected victims and the types of routers that are affected.

What you should do

Anyone should do this, just in case:

  1. Reboot your router(s) anyway – you never know (it will stop stages 2 + 3)
  2. If you have never changed the default settings (passwords!) for your router, then do that immediately
  3. Look at the device lists here and here

If your device is on one of these lists, then do this too:

  1. Factory reset your router by using a small, pointed object, such as a straightened out paperclip, to push the small reset button on the back on the unit for 10 to 30 seconds (time varies by model).
  2. Change default settings immediately.