Emerging Threats

VPNFilter malware now targeting even more router brands. How to check if you're affected.


Authored by a Symantec employee

 

Updated with new information on June 29, 2018. Free VPN Filter Check Tool helps check if your router is impacted.

VPNFilter — the malware that infected more than half a million routers in more than 50 countries — may be more dangerous than researchers originally believed.

What's different now? At least three things:

  • Based on additional analysis, VPNFilter now is more powerful than originally thought and runs on a much broader base of consumer-grade and SOHO router models, many from previously unaffected manufacturers. To our knowledge, all the known vulnerable routers are from at least 10 router brands.
  • VPNFilter is able to add malicious content to the traffic that passes through affected routers, according to researchers. This allows it to install malware onto devices and systems connected to the routers.
  • The malware is showing new capabilities that can target and steal passwords and other sensitive information.
     

VPNFilter malware targets certain router models from these brands:

  • Asus
  • D-Link
  • Huawei
  • Linksys
  • Mikrotik
  • Netgear
  • QNAP
  • TP-Link
  • Ubiquiti
  • Upvel
  • ZTE

Symantec has created a free online tool to help check if your router is impacted by VPNFilter. Try out our VPNFilter Check Tool now.

Does Symantec's Norton Core™ Wi-Fi router protect me against VPNFilter malware?

Yes, from what we know about VPNFilter and how it penetrates routers, we can assure you that those methods do not work on Norton Core. In fact, not a single Norton Core user has been impacted.

Norton Core was designed from the ground up with security in mind and specifically to protect users from these types of cyber threats and malicious attacks.

If you want to learn how Norton Core can help protect you, you can read more about the router's technology and features.

Norton Core secure Wi-Fi router was built to help defend consumers against a variety of possible cyber threats, such as many recent ones like Mirai and now VPNFilter. To keep you and your home network safe, Core was designed to keep itself updated automatically with its knowledge of vulnerabilities, viruses, and other threats.

"The VPNFilter attack shows that other routers are a huge part of the problem," said Bruce McCorkendale, a vice president of technology for Norton by Symantec.

"We set out to show what it takes not to be part of the problem," he added, "and we go even further in providing protection for the possibly vulnerable devices you connect to the router."

With Norton Core, security is at the heart of the router to help protect you against threats like VPNFilter and much more. Every Norton Core includes:

  • Hardware enforced secure boot
  • Authenticated and signed software updates
  • No internet-facing services listening (vulnerable internet-facing services are another common vector for the attacker to infect the router)
  • No default admin password or standard SSID/network password - each user must create a unique network name and secure password

Here's a deeper look into the issue of passwords.

Norton Core has no standard password or default password for the router, McCorkendale said. Plus, the router's configuration is cloud-based, not router-based. Norton Core uses a hardware-based cryptographic chip to encrypt and authenticate its communications.

In contrast, vulnerable routers connect to the internet with an available login page, McCorkendale said. The login accepts a default username and password. If the user never updated the router's default username and password, anyone can log in and make changes - like injecting malware.

How the FBI spotlighted VPNFilter

A quick recap. In a May 25 announcement, the FBI issued an urgent request for consumers to reboot their home Wi-Fi routers to help disrupt a massive foreign-based malware attack.

At the time, the FBI said foreign cybercriminals had compromised hundreds of thousands of small office and home Wi-Fi routers and other networked devices worldwide.

What does the VPNFilter threat mean to you?

VPNFilter poses several threats to small office and home routers, the FBI said.

Here's what the malware could do:

  • Render routers inoperable
  • Collect information passing through the routers
  • Block network traffic

The FBI said detecting and analyzing the malware's network activity is difficult.

How to help defend yourself from VPNFilter malware

The FBI recommends taking several steps. Here's what you should do:

  • Turn your router off, then back on. This may temporarily disrupt the malware and potentially help identify already-infected devices.
  • Consider disabling remote management settings on the device.
  • Secure the device with a strong, unique, new password.
  • Enable encryption.
  • Upgrade firmware to the latest available version.

It's a good idea to check the website of the manufacturer to see if your router may be affected. This is especially important since researchers are now saying VPNFilter affects more manufacturers of routers.

Compromised routers raise risks

Keep in mind that all your information passes through your router. That's why security is essential.

When your router is compromised, your privacy and the security of your devices can be at stake.

As hot new gadgets make our homes smarter, they’re also making them more vulnerable.

With more of our devices connecting to the Internet – smart TVs, webcams, gaming consoles, thermostats – it’s crucial to have a good defense plan for your home network.

Help protect all of your personal devices connected to your home network, not just your laptop or desktop computer, with Norton Core.


Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

© 2018 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the Lockman Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome is a trademark of Google, Inc. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.

`