Ars Technica reported today that the VPNFilter malware targets a much larger number of devices than previously thought (200,000 additional routers were added to the initial estimate of 500,000). And it is more powerful than revealed in original analysis.
VPNFilter’s elaborate design involves three stages. Stage 1 acts as a backdoor that uses a sophisticated mechanism to locate stage 2 and stage 3 payloads and installs them. FBI’s seizure of a command and control server might have stopped some ways to deliver stage 2 and stage 3 payloads, but did not stop the spread of the malware.
A router reboot, as initially recommended by the FBI, will remove stage 2 and stage 3 payloads, but will not get rid of the stage 1 backdoor. The possibility exists that even a router factory reset may not get rid of stage 1 completely.
How do you know your router is affected? A list of affected router models is available here. But keep in mind that the list is growing. The list today is much longer than it was just a few days ago.
There’s no easy way to tell if your router is infected. If you have any suspicion that your router might be infected, you might as well perform the procedure to get rid of it as if there is an infection. Here’s our recommendation on how to completely get rid of VPNFilter:
After reconnecting your router to the Internet, do these 4 checks to make sure that your router is reasonably safe.