Emerging Threats

VPNFilter malware now targeting even more router brands. How to check if you're affected.

Authored by a Symantec employee


Updated with new information on June 29, 2018. Free VPN Filter Check Tool helps check if your router is impacted.

VPNFilter — the malware that infected more than half a million routers in more than 50 countries — may be more dangerous than researchers originally believed.

What's different now? At least three things:

  • Based on additional analysis, VPNFilter now is more powerful than originally thought and runs on a much broader base of consumer-grade and SOHO router models, many from previously unaffected manufacturers. To our knowledge, all the known vulnerable routers are from at least 10 router brands.
  • VPNFilter is able to add malicious content to the traffic that passes through affected routers, according to researchers. This allows it to install malware onto devices and systems connected to the routers.
  • The malware is showing new capabilities that can target and steal passwords and other sensitive information.

Device security, Dark Web Monitoring powered by LifeLock and a VPN–up to 60% off*

NEW Norton 360 has multiple layers of protection including a VPN for online privacy.

VPNFilter malware targets certain router models from these brands:

  • Asus
  • D-Link
  • Huawei
  • Linksys
  • Mikrotik
  • Netgear
  • QNAP
  • TP-Link
  • Ubiquiti
  • Upvel
  • ZTE

Symantec has created a free online tool to help check if your router is impacted by VPNFilter. Try out our VPNFilter Check Tool now.

Does Symantec's Norton Core™ Wi-Fi router protect me against VPNFilter malware?

Yes, from what we know about VPNFilter and how it penetrates routers, we can assure you that those methods do not work on Norton Core. In fact, not a single Norton Core user has been impacted.

Norton Core was designed from the ground up with security in mind and specifically to protect users from these types of cyber threats and malicious attacks.

If you want to learn how Norton Core can help protect you, you can read more about the router's technology and features.

Norton Core secure Wi-Fi router was built to help defend consumers against a variety of possible cyber threats, such as many recent ones like Mirai and now VPNFilter. To keep you and your home network safe, Core was designed to keep itself updated automatically with its knowledge of vulnerabilities, viruses, and other threats.

"The VPNFilter attack shows that other routers are a huge part of the problem," said Bruce McCorkendale, a vice president of technology for Norton by Symantec.

"We set out to show what it takes not to be part of the problem," he added, "and we go even further in providing protection for the possibly vulnerable devices you connect to the router."

With Norton Core, security is at the heart of the router to help protect you against threats like VPNFilter and much more. Every Norton Core includes:

  • Hardware enforced secure boot
  • Authenticated and signed software updates
  • No internet-facing services listening (vulnerable internet-facing services are another common vector for the attacker to infect the router)
  • No default admin password or standard SSID/network password - each user must create a unique network name and secure password

Here's a deeper look into the issue of passwords.

Norton Core has no standard password or default password for the router, McCorkendale said. Plus, the router's configuration is cloud-based, not router-based. Norton Core uses a hardware-based cryptographic chip to encrypt and authenticate its communications.

In contrast, vulnerable routers connect to the internet with an available login page, McCorkendale said. The login accepts a default username and password. If the user never updated the router's default username and password, anyone can log in and make changes - like injecting malware.

How the FBI spotlighted VPNFilter

A quick recap. In a May 25 announcement, the FBI issued an urgent request for consumers to reboot their home Wi-Fi routers to help disrupt a massive foreign-based malware attack.

At the time, the FBI said foreign cybercriminals had compromised hundreds of thousands of small office and home Wi-Fi routers and other networked devices worldwide.

What does the VPNFilter threat mean to you?

VPNFilter poses several threats to small office and home routers, the FBI said.

Here's what the malware could do:

  • Render routers inoperable
  • Collect information passing through the routers
  • Block network traffic

The FBI said detecting and analyzing the malware's network activity is difficult.

How to help defend yourself from VPNFilter malware

The FBI recommends taking several steps. Here's what you should do:

  • Turn your router off, then back on. This may temporarily disrupt the malware and potentially help identify already-infected devices.
  • Consider disabling remote management settings on the device.
  • Secure the device with a strong, unique, new password.
  • Enable encryption.
  • Upgrade firmware to the latest available version.

It's a good idea to check the website of the manufacturer to see if your router may be affected. This is especially important since researchers are now saying VPNFilter affects more manufacturers of routers.

Compromised routers raise risks

Keep in mind that all your information passes through your router. That's why security is essential.

When your router is compromised, your privacy and the security of your devices can be at stake.

Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2019 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.

No one can prevent all identity theft or cybercrime.  Not all products, services and features are available on all devices or operating systems. System requirement information on norton.com.

*Important Subscription, Pricing and Offer Details:

  • The price quoted today may include an introductory offer. After that, your membership will automatically renew and be billed at the applicable monthly or annual renewal price found here.
  • You can cancel your subscription at my.norton.com or by contacting Member Services & Support. For more details, please visit the Refund Policy.
  • Your subscription may include product, service and /or protection updates and features may be added, modified or removed subject to the acceptance of the Customer Agreement.

The number of supported devices allowed under your plan are primarily for personal or household use only. Not for commercial use. If you have issues adding a device, please contact Member Services & Support.

§ Dark Web Monitoring in Norton 360 plans defaults to monitor your email address only. Please login to the portal to review if you can add additional information for monitoring purposes.