NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

DERoss's avatar
DERoss
Apprentice
May 23, 2018
Solved

VPNFilter Destructive Malware

Windows 7 Netgear N300 Wireless Router Model WNR2000v5 Firmware V1.0.0.64  GUI V1.0.0.204   US-CERT (an agency within the U.S. Department of Homeland Security) issued an advisory this morni...
Security
  • johngm's avatar
    johngm
    Jun 21, 2018

    You should be all set with that FW revision.   In this case we were informed by a third party and law enforcement that some unknown number of our devices including but potentially not limited to a list we were given, had been corrupted by a known hacking organization.   We were not told anything more than that, other than a reboot would either clean the device or have it identify itself to a server which had been set up by the FBI as a honey pot.   Any devices which exhibited this behavior would be handled by the FBI.  

     

    From what we could determine, we believe that our devices on current firmware releases, were probably not impacted but we simply did not have sufficient data to confirm this.   Our advice to our customers was to follow the best practices we have communicated, including changing default passwords, making sure remote management is disabled and having the product on the most recent firmware.  

     

    By following the procedure outlined you probably reset an uninfected device, but we do have to rely upon the FBI to run down any units which this remediation did not address.

     

     

DERoss's avatar
DERoss
Apprentice
Jun 21, 2018
Thank you for your clarification. My settings were already according to your Web page's directions. I updated to Firmware Version V1.0.0.64 on 13 March 2018, before the VPNFilter alerts were published. Will there be a firmware update to address that malware?
johngm's avatar
johngm
NETGEAR Employee Retired
Jun 21, 2018

You should be all set with that FW revision.   In this case we were informed by a third party and law enforcement that some unknown number of our devices including but potentially not limited to a list we were given, had been corrupted by a known hacking organization.   We were not told anything more than that, other than a reboot would either clean the device or have it identify itself to a server which had been set up by the FBI as a honey pot.   Any devices which exhibited this behavior would be handled by the FBI.  

 

From what we could determine, we believe that our devices on current firmware releases, were probably not impacted but we simply did not have sufficient data to confirm this.   Our advice to our customers was to follow the best practices we have communicated, including changing default passwords, making sure remote management is disabled and having the product on the most recent firmware.  

 

By following the procedure outlined you probably reset an uninfected device, but we do have to rely upon the FBI to run down any units which this remediation did not address.

 

 

  • DERoss's avatar
    DERoss
    Apprentice
    Jun 21, 2018
    Thank you. I am finally reassured that my router is okay. However, it took a month to finally get a response that addressed my very specific query.
    • martintechguy's avatar
      martintechguy
      Initiate
      Jun 22, 2018

      "You should be all set with that FW revision": Sheer guesswork, speculation, and avoidance of addressing the problem.

       

      "We were...told...a reboot would...clean the device": Passing the buck, avoidance of independent thought and verification.

       

      "From what we could determine, we believe that our devices on current firmware releases, were probably not impacted but we simply did not have sufficient data to confirm this": In other words, they don't have the slightest idea.

       

      "Our advice to our customers was to follow the best practices we have communicated, including changing default passwords, making sure remote management is disabled and having the product on the most recent firmware": And if brushing your teeth could prevent you from getting hit by a car, then we should have a discussion about delusional and magical thinking.

       

      DERoss please note: In my opinion johngm's reponse to you is COMPLETELY misleading. He did NOT give you anything concrete or specific, and clearly admitted that Netgear has done NO TESTING and has NO IDEA whether this router (or many others) are vulnerable or not vulnerable.

       

      From everything I have read about this malware, IF your router is infected with this malware, rebooting it will NOT, will NOT, will NOT "clean" the device of the malware completely. Rebooting does clear SOME of it, but it is possible that the remaining portion which easily survives a reboot may fully re-infect it.

       

      Thus you should NOT take ANY reassurance in such vague and incomplete statements, and therefore this issue is NOT "Resolved" at all. You should assume that your router is completely vulnerable to this malware until you specifically learn otherwise.

       

      Since, as far as I can tell, Netgear has made zero effort to actually confirm any vulernability to this malware in older routers like yours (and mine, since I have a WNR2000v2), and since they probably have no liability if they do get infected, in my opinion they therefore have zero financial incentive to life a finger to help users like you or me.