[ALERT] VPNFilter: The Russians Really Are Coming For Your Data

Category: Security

A deadly serious threat is on the loose: a virus called VPNFilter that infects business and consumer-grade routers to steal passwords and other sensitive data from any device on a network served by an infected router. Here's what you need to know now...

What is VPNFilter Malware?

In addition to stealing passwords, VPNFilter also degrades (decrypts) secure HTTPS connections to steal data from them and pass along new infections to the HTTPS connections’ destinations. Part of VPNFilter can survive a router reboot and then download other malware modules. It even has a “kill switch” that can destroy the firmware of its host router.

Already, VPNFilter has infected an estimated 500,000 to 1,000,000 routers worldwide, according to Cisco Systems’ Talos Intelligence threat research division.

The FBI attributes VPNFilter to the “Fancy Bear” Russian hacker group, which is implicated in the 2016 hack of the U.S. Democratic National Committee’s network and other political and industrial espionage campaigns. Political news site, The Daily Beast, reported on May 23rd that the FBI seized a key server used by the VPNFilter botnet. But that hardly slowed the havoc being wrought by VPNfilter because of the diabolically ingenious way it is designed.

VPNFitler malware - Fancy Bear - hacked routers

VPNFilter consists of three modules or stages. The first module is a worm, a virus that rapidly slithers from one router to another, infecting each and replicating itself for further infections. Stage One also writes itself into a list of tasks that are performed by vulnerable routers each time they are rebooted, thereby ensuring that it will survive a reboot. Stage One’s next function is to facilitate other modules’ infection of the host router.

Stage Two is downloaded by Stage One if the former is not already present. Stage Two contains the “routine” spying functions that VPNFilter performs on each device connected to an infected router. It sniffs out passwords and other account credentials, contact lists, calendars with birthdays and other sensitive personal info. Stage Two can also execute any special instructions given to it by optional Stage Three modules, which may also be downloaded by Stage One.

Many Stage Three modules have been discovered since Talos Intelligence started tracking VPNFilter in 2016. For most of that time, it appeared that VPNFilter targeted relatively few but critically important industrial control systems. The infection of consumer routers was thought to be recruitment for a botnet whose primary target was the control systems.

Plenty of Fish

But recent modules show that VPNFilter’s masters are after many more and smaller prey, including your little home network.

One new module can alter incoming data before it’s displayed to users; for example, it can make your bank account balance look normal when in reality the account is being drained dry. Others can steal PGP encryption keys, SSL certificates, and other authentication credentials. Still others can inject malicious payloads into streams of outgoing data to spread VPNFilter and its custom payloads to destination devices.

Libraries of Stage Three modules are scattered all over the Internet. A clever clue to the IP addresses of such libraries was found hidden in the metadata of image files stored on Photobucket. When that resource was removed, Stage One moved on to backup sources.

If Stage One cannot find a library of Stage Three Modules it can go into “listening mode,” passively awaiting new instructions from its human masters. Those instructions may include the locations of libraries, or malicious payloads themselves, or a “kill switch” instruction that causes Stage One to erase itself and the entire file system of its host, effectively turning the router into a brick.

Who Is Vulnerable?

Only routers that run specific Linux-based firmware are vulnerable to VPNFilter. The bad news is that a lot of manufacturers use such firmware on many consumer-grade routers. Note that this vulnerability has nothing to do with the operating system on your computer. It's the code running inside your router that's at issue here.

I was going to include a list of vulnerable devices from vendors including Asus, D-Link, Huawei, Linksys, Mikrotik, Netgear, QNAP, TP-Link, Ubiquiti, Upvel, and ZTE, but there are over 100 known so far, and the list is growing. At this point, it seems better to assume that your router is on the list of vulnerable devices.

There's one important caveat, though. VPNFilter is lazy, so it only tries to break into routers that have the default (factory-supplied) login credentials. If you are certain that you've secured your router with a password of your own choosing, then VPNFilter will move on to other targets.

I want to remind readers that your WiFi password (the one you use to connect your computer, tablet or phone to your router) is not the same as your router's admin password. They are distinct; the router password is used to login to the router's setup screens, where one can configure wifi passwords, and other settings.

What To Do About VPNFilter

Some security experts recommend that all router owners, not just owners of routers on this list, perform a factory reset on their routers. A reset restores a router’s firmware to the version that was shipped with it; so VPNFilter wlll be erased for certain, if it was present.

Most routers have a RESET button on the device. Depressing that button for 10 (or sometimes 30) seconds will reset the router's login credentials, but may or may not affect the firmware. Because there are so many different router vendors and models, I recommend that you search online for instructions on how to reset your router's firmware, if you decide to do so.

Next, change that default admin password! The Stage One worm works at lightning speed. It knocks on a router’s door just once, with the default password. If the worm gets no answer, it is vanquished. VPNFilter has gotten as far as it has by relying on the laziness of consumers and of professional IT workers who should know better. Change the router’s password, dang it! If you don't know how to do that, see my article Lock Down Your WiFi Router, search online, or ask your Internet provider for help.

If your router is more than 4-5 years old, consider replacing it rather than resetting its firmware. The value of an antique router is negligible, a new one can be had for less than $50, and you will have peace of mind knowing that it’s factory-fresh. Your internet provider may even swap out your old router for a new one upon request.

Bottom line: VPNFilter is powerfully malicious; highly resilient; and spreading like wildfire. This is not a drill. Take all the precautions you can. Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 12 Jun 2018

For Fun: Buy Bob a Snickers.

Prev Article:
[MONSTER] Homeland Advanced Recognition Technology

The Top Twenty
Next Article:
Geekly Update - 13 June 2018

Most recent comments on "[ALERT] VPNFilter: The Russians Really Are Coming For Your Data"

Posted by:

12 Jun 2018

Looking through my spam filtered messages, I saw a warning about routers, opened it and typed in "admin" and "password" in a pop-up. It showed me my router password and said an update was available for it. A wave of common sense came over me and I typed in the website of router and it said I was up to date. Didn't waste any time changing my router password after that.

Posted by:

Robert Peterson
12 Jun 2018

I'd like to know where you found an authoritative source for two assertions:

1. "VPNFilter is lazy, so it only tries to break into routers that have the default (factory-supplied) login credentials." Neither of the two Cisco articles on VPNFiler make this claim. On the contrary, Cisco/Talos says in the May 23 article, "At the time of this publication, we do not have definitive proof on how the threat actor is exploiting the affected devices."

2. "The Stage One worm works at lightning speed. It knocks on a router’s door just once, with the default password. If the worm gets no answer, it is vanquished." This claim requires that we know how State 1 infects a vulnerable device, and I know of no reliable source claiming that knowledge, such as Cisco Systems’ Talos Intelligence, Krebs on Security, etc.

Thank you for your help.


Posted by:

Mark H.
12 Jun 2018

I've made changing the router/gateway password the first step when setting up a new one, before I set up anything else. Been doing it for years now. I'd read something somewhere way back when about doing this. I seem to recall that Netgear even suggested doing so in their manuals.
Comcast started showing gateway information when logged into their website to check account info. If using their gateway, user name and password information is right there, along with WiFi info. If you use a commercial gateway, not Comcast's, they can't see it. Leastways, it's not shown.
Security has to start at home.

Posted by:

12 Jun 2018

Love what you do to inform us, Mr. Bob Rankin!
Thanks a bunch and keep the "assertions" coming. Each one of them is like a wake-up call!
The bottom line sounds like there is no such thing as "fully secure security" [huh?]...
I guess we gotta keep our pencils sharpened and ready; in case, we have to go back to pushing a pencil across paper.

Posted by:

12 Jun 2018

" “Fancy Bear” Russian hacker group, which is implicated in the 2016 hack of the U.S. Democratic National Committee’s network ..."

Really? When the DNC wouldn't turn over any info to the FBI and the FBI never got a court order for it.

The fix was in!

Posted by:

12 Jun 2018

Thanks, Bob!

Posted by:

12 Jun 2018

Bob, thanks for the information. At least someone tells us what the problem is and then explains how to fix it and avert a disaster. Better safe than sorry.

Posted by:

12 Jun 2018

Hi Bob I do have an Apple router airport extreme and it is very old and working very good and I do have a very strong password do I still have to change it

Posted by:

13 Jun 2018

Thanks Bob. Long time reader here. Your timely and thorough information is always much appreciated.

Posted by:

13 Jun 2018

Bob, would using VPN help in this case?

Posted by:

13 Jun 2018

Jim, you're spending too much time on conspiracy theories.
Remember, Fox News has a disclaimer stating "For Entertainment Purposes Only" for all to see.
This isn't a political site.

Posted by:

13 Jun 2018

I am interested in the VPNFilter Malware discussions and not somebody's political opinions about the DNC or the RNC that has nothing to do with the subject.

Posted by:

13 Jun 2018

@Jack; My name's not Bob, but I'd say no. A VPN won't help. A V encrypts data during transmission. If the worm logs all your keystrokes the data gets sent to the hacker just the same. Otherwise all the sites you visit and log in would not be able to read your data when using a V.

Posted by:

Robert Peterson
13 Jun 2018


If your VPN terminates in the router, e.g, you use a VPN from an external network to access internal networked resources, then I'm quite confident the VPN will not protect your information from VPNFilter. VPNFilter need only capture the data between the encryption/decryption module and the LAN.

If the VPN terminates outside your network, e.g., your PC terminates a VPN at a VPN provider, there is still the possibility that a stage 3 module VPNFilter downloads and installs will execute a man-in-the-middle attack to decrypt your data as it passes through, compromising your VPN and your information.

A MITM attack on VPN traffic would seem an obvious next step, and appears to be well within the abilities of VPNFilter's authors.


Posted by:

14 Jun 2018

I am horrified to see a lie spread here so cavalierly. None of that stuff about Russia has been proven! You should know that. There is no evidence of a 'hack' (or 'collusion' - another word for a conspiracy.. but the CIA wore that out and didn't want to draw attention to it by using that word in this context) in fact there is heavy evidence of an inside DOWNLOAD to a thumb drive of all the DNC data. Have you not heard of Ray McGovern and Bill Binney (ex-head and architect of the entire NSA spying network). Haven't heard of Seth Rich? OUR ex-spooks know this was an inside job not a hack. Look to nsa/cia when looking for global culprits. Wake up.

Posted by:

31 Jul 2018

How do you KNOW it is Russians ? It could be anyone PRETENDING to be Russians ! It would be VERY stupid by the hackers to tell everyone : "we are Russians" ! I could also hack someone and let them belive I am Russian !

Posted by:

16 Aug 2018

Wow! What bunch of fluff!
“Russians”?? Really???
Than fluff again, until we discover that – once the factory-made password is changed, it all goes away…
Why didn’t you say so right away to save us time reading tru all of it? Also, retards who use their router [comps, software…] default passwords deserve whatever bad comes to them…

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML

Article information: AskBobRankin -- [ALERT] VPNFilter: The Russians Really Are Coming For Your Data (Posted: 12 Jun 2018)
Source: https://askbobrankin.com/alert_vpnfilter_the_russians_really_are_coming_for_your_data.html
Copyright © 2005 - Bob Rankin - All Rights Reserved