- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Security Advisory for VPNFilter Malware on Some Routers
This article is based on NETGEAR KB Article 58814 5/23/2018, Please visit the KB for the latest information.
NETGEAR is aware of a piece of malware called VPNFilter that might target some NETGEAR routers.
To protect against this possible malware, we strongly advise all NETGEAR router owners to take the following steps:
- Make sure that you are running the latest firmware on your NETGEAR router. Firmware updates include important security fixes and upgrades. For more information, see How do I update my NETGEAR router firmware using the Check button in the router web interface?.
- Make sure that you have changed your default admin password. For more information, see How do I change the admin password on my NETGEAR router?.
- Make sure that remote management is turned off on your router. Remote management is turned off by default and can only be turned on in your router’s advanced settings.
To make sure that remote management is turned off on your router:
- On a computer that is part of your home network, type http://www.routerlogin.net in the address bar of your browser and press Enter.
- Enter your admin user name and password and click OK.
If you never changed your user name and password after setting up your router, the user name is admin and the password is password. - Click Advanced > Remote Management.
- If the check box for Turn Remote Management On is selected, clear it and click Apply to save your changes.
If the check box for Turn Remote Management On is not selected, you do not need to take any action.
NETGEAR is investigating and will update this advisory as more information becomes available.
Acknowledgments
Contact
We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.
It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.
To report a security vulnerability, visit http://www.netgear.com/about/security/.
If you are a NETGEAR customer with a security-related support concern, you can contact NETGEAR customer support at techsupport.security@netgear.com.
Revision History
2018-05-23: Published advisory

- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
Now that the FBI has control of the server, rebooting should remove you from the botnet if you're in it, according to the DB article.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
Honest question (a few, actually)
- How long has it been a standard recommendation that remote administration be disabled (I've been doing for years)?
- How long after that recommendation became standard did Netgear and other router manufacturers continue to enable remote administration by default, and are they still shipping like that?
- If they still are, when will they stop?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
@trnc1 wrote:
Honest question (a few, actually)
- How long has it been a standard recommendation that remote administration be disabled (I've been doing for years)?
That's a really good question, I used to have the remote administration enabled for a reason, not a big deal to deactivate it for few days, but I need this function.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
and the latest firmware is just as flaky as the previous V4, dropped WiFi connection etc, I've been forced to revert to 3.04 as my laptop won't even complete it's daily backup on V4 firmwares.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
I upgraded from V1.0.4.12_10.1.46 to the 1.0.4.18_10.1.49, and I'm having major issues with both wired and wireless connections after 1-2 hours of use (internet stops for most, but some established connections still work for a while). Do I need to Revert to factory default settings when upgrading the firmware? I ended up having to flash 4.12 back because of family complaints on the internet not working, but just did that now, so not sure what will happen after a couple of hours.
I do not use DLNA, but have 2 USB drives connected.
Any suggestions would be appreciated, as I would like to use the latest firmware.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
I just updated my firmware and had a very nasty surprise, but followed this with an exception
cd C:\Users\xxxx\Downloads\R7000 etc (folder where the chk file is located
tftp -i 192.168.1.1 PUT xxxx.chk
me spinchter got tight there for a moment.. I will never allow the web based update again
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
Thanks for pointing out that info - I didn't realize that simply clicking somwhere else on the screen could cause that kind of pain.
@gr8ful wrote:
I just updated my firmware and had a very nasty surprise, but followed this with an exception
cd C:\Users\xxxx\Downloads\R7000 etc (folder where the chk file is located
tftp -i 192.168.1.1 PUT xxxx.chk
me spinchter got tight there for a moment.. I will never allow the web based update again
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
I hear ya. I wasn't trying to question the validity of that option, but it seems these days that it should be turned off by default so that you have to choose to use it.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
Nighthawk X6 R7900 - Firmware Version V1.0.2.10_10.0.29 (Router reports no newer version available)
Before I re-flash my router, is there a way to determine if it is infected with Stage 1?
I have already rebooted it, so any evidence of Stages 2 and 3 would already be gone.
I have run the "telnetenable" program to enable telnet on the device, and I can connect.
I am running tcpdump in an attempt to see if it tries to connect to the "toknowall.com" domain that is mentioned in the TALOS blog post:
# tcpdump -n -v host 104.16.40.155 or toknowall.com tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
So far, that tcpdump command, with that filter, has not shown me any activity. If the Stage 1 malware tries to hit up that domain at a regular interval, I'm pretty sure I would have seen something by now. However, if the Stage 1 malware only attempts to connect to that host upon router-boot-up-time, then this command will not show me any useful information.
1) Does anybody know whether or not the Stage 1 malware makes repeated attempts to try to install the additional Stage 2 and 3 modules? Or only on bootup?
2) Would this tcpdump command alert me to a Stage 1 infection, if it was present on my device?
3) How old is my firmware "V1.0.2.10_10.0.29"? This is already the "latest" version, but I do not know how old it is, or if it would be vulnerable to Stage 1 infection.
4) Is the only known initial attack vector on the Netgear routers the "remote administration"?
5) So far, to my knowledge, nobody (not TALOS nor Netgear) has published information about what files/scripts/config-files are modified in connection with the Stage 1 infection. That would be EXTREMELY VALUABLE INFORMATION to have in order to telnet into our Netgear routers, and look at the relevant files to see if they contain any modifications! PLEASE PROVIDE THIS INFO NETGEAR!!!
The TALOS post goes very much in-depth with how this malware works, but does not provide any details on how to identify if you are only infected with Stage 1. If I had not rebooted the router (per recommendation), I could have enabled telnet and looked for the additional modules. Unfortunately, I did reboot my router per recommendation, already.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
Ryan, here's a link to a very recent article from Symantec, and several references to Netgear in the article: https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
Thanks for that link. However, I've already seen that article, and unfortunately it doesn't answer any of my additional questions.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
After updating to the latest firmware (.18), I has some of the same symptoms as you, would work for a bit, then not. I tracked it to a DHCP problem, the machines were just not getting the right IP/DNS/Gateway configs from the router. I had to roll back to .12 to get things working again.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
Per warnings I have changed the password on my Google Fiber Network Box.
I have a tenant on my property and use a Netgear N300 (WN300RP) WiFiRange Extender and we tried resetting the extender to Factory Settings to install the new password but we have failed many times.
Since I do NOT have an ethernet port on my laptop, I cannot directly connect to the WiFi extender to change the password.
There are ZERO directions on what to do with a Range Extender if a router's password changes ... since router's passwords should be changed regularly, it seems negligent by Netgear to not have a process to change the extender. In a day of so much hacking, why is it that no directions no support are available to met to change the extender's password?
I find Netgear's request that I PAY for support to do this password change to be unnacceptable, especially since no document exists in the manual or in the support community on how to do what should be a simple task.
It would be cheaper for me to buy a new extender then to pay for Netgear tech support for a password change. Or I can just allow my personal network to be vulnerable to VPNFilter and go back to my old password ... not a fan of these type of dilemmas.
Can anyone help me with how to get the a new password onto an existing WiFi range extender?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
I would suggest talk to Talos who really know the facts. The advice from netgear as you can see is just ridiculous. They think upgrading will automagically remove malware!!!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
This article on Forbes' web site states doing a hard reboot to factory defaults will remove all traces of stage 1 VPNFilter:
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
Hi,
I don't want to brag, but tell you that maybe the problems you have are not the firmware
(Or maybe we have different settings or different routers)
I have a Netgear router Nighthawk X6 R8000
I updated the firmware 2 or 3 days ago and I absolutely had no problem, it is working wonderfully.
Now yes, previously I 've had problems (and doubts about my router beng hacked.)
Not sure I rememebr the precise timing but In 2018
about March I am not sure I upgraded to most recent firmware , maybe I waited and did it after my router went brick
About April I had my router going brick, hundred of power cycles to have a reset to factory and to have it working. and changed passwords
About early May ? watching for new firmware but nothing coming, I voluntarily did a fatory reset and reinstallation of firmware and changed the passwords again
this week I did the firmware update and reboot
Now maybe I should do
reset to factory default, change password , reupload of firmware
Getting a little tired.
I have to repopulate all the settings
I think I heard it is not safe enough to back them up and reupload, or simply I want to do it well
About doubts often about being hacked.
I even noticed maybe in 2016 or 2017 some Ukraine ip addresses (googled them) contacting my router.
Even seen my computer webcam turning on, my webcams movind by themselves
I am now very paranoiac but feel often helpless
Got rid of my foscam webcams (not trusting they are fixed) and Alexa etc...
added logs and everything I could imagine on the router
This fbi mail and the firmware update is positive news
I would be interested in knowing what to do / who to tell if I see stuff again
AND it would be great to be sure that alll on the router has been removed.
since 2018/05/27 Modem ARRIS since 2018/05/18? Mediacom
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
information was very helpful.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
FYI the original FBI note on their website
https://www.ic3.gov/media/2018/180525.aspx
May 25, 2018
I-052518-PSA
Questions regarding this PSA should be directed to your local FBI Field Office.
Local Field Office Locations: www.fbi.gov/contact-us/field
FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE
SUMMARY
The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.
TECHNICAL DETAILS
The size and scope of the infrastructure impacted by VPNFilter malware is significant. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. The initial infection vector for this malware is currently unknown.
THREAT
VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks.
DEFENSE
The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices. Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware.
since 2018/05/27 Modem ARRIS since 2018/05/18? Mediacom
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
I tried to have my R7000 find an update yesterday and it didn't see one offered in it's interface.
I try that interface again today and it sees and downloads 1.0.9.28 (the router seeing it two months after it's dated) which seems to indicate some kind of brokeness in the release to the download site that the R7000 queries.
The R7000 also gets no information, just the BIN file for that update via the router's interface, so I go to your website and right out on top it says 4/3/18 - Firmware update 1.0.9.28 for R7000 now available, hmmm, so that version is close to two months old and wasn't offered to my router until today (unless someone's back-dating the announcement?). I manually download the whole ZIP to examine the HTML documentation and that file was last saved a month ago today, and it says "security update" and you can't get more generic [aka. less useful] than that in an announcement.
Of course I was trying to follow FBI instructions to look for a preventative update since the FBI's solution was to reboot the R7000 which only wipes out volatile memory meaning whatever infected the R7000 in the first place can do it again.
The other thing when the times comes, when you to fill the hole drilled by Russia, you could also tell us if we have to reboot the whole house because one article I saw about this malware is that the router once infected could infect other wired and wireless attachments to it listing from among PCs, tablets, cell phones, Alexa/Echo's, wi-fi cameras, switches, repeaters/APs, Smart TV's, VOIP units (like Ooma and Magic Jack), Wemo devices, thermostat's, and it even mentioned Internet connected refrigerators (that's one gadget I don't have yet).
- The scare being that any of those could reload the malware back to the router's volatile memory once it comes back on line, and that is why you need to tell us more than "security update" and it would be helpful if a detailed log could be left on the router or in it's memory (when the router's interface is used for the update) so that we can see the HTML explnation without tracking it down on your website.
- Aside from all you do to protect is, one of the most important things you don't do is tell us what we were protected from! You share that mystique with the antivirus tools, most will say very little if any about what was risked; if I knew more I might cancel a credit card or something proactive if provided the helpful information.
On your website only today can I see you have just put out a version V1.0.9.30_10.2.33_beta which only someone looking for a beta via the web or by different steps at the router would ever see, and wouldn't see the need for it since it's not announced. It apparently doesn't matter since the HTML from that version was save on 4/30, a month ago, (nearly a month before this malware was widely announced as existing) so even with the beta level we don't have an announced patch for the version the FBI thinks we should look to Netgear to provide (or it would have a very recent date), and the HTML file for V1.0.9.30_10.2.33_beta also has the nondescript general message "fixes [unspecified] security issues" and mentions a feature update.
All of that combined still leaves the big questions out there hanging:
- Is there going to be a patch for this last weekend's malware discovery, and will it tell us more about what was patched, so we know if we need to reboot the whole darn house to keep the router's volatile memory from being reloaded from local attachments?
- I guess I'd rather hear that the router's volatile memory will be protected in a patch so that it can't be used for any malicious activity, and..........
I have to admit that I'm watching and anticipating not only as a R7000 owner who is looking to Netgear for resolution, but I'm also looking as a future buyer of a new WiFi router and whoever get's that order from me (probably sometime next month on behalf of my son) will be advertising that it is not vulnerable to this breakthrough hack or others like it that will surely follow.
Who wouldn't want that?
The next best thing would be software that examins my R7000 on demand and reports if it has a different chksum in any of its RAM (volatile & non-volatile) than it should have.
From what I understand the Russian owned site that was going to control the resulting bots has been shut down, but with this breakthrough achievement behind us the next external attack will drive a Mack Truck through the first hacker's hole.
Thanks in advance for your thoughts, Dean
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
Perhaps I missed it, but do you have the exact list of affected routers? Is the NETGEAR Nighthawk AC2300 R7000P affected? Thanks.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
Thanks BretD for this info. I have made sure my 1) firmware is updated 2) ensured that remote management is turned off per your instructions. Question: Consumer Reports in addition to step 1) above indicated that I should do a hard reset of my router. I was surprised this wasn't in your suggestions. Does your article automatically assume that I have done this? (For some reason under MODEL, it would accept this: WNR2000v3 wireless router
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
The hard reset is actually supposed to remove level 1 VNSFilter from your router's firmware, and from what I have been able to determine, based on reading a bunch of articles, this is the ONLY way to remove the level 1 virus. Everything else just removes level 2 and 3, and leaves level 1 still there. So, I would definitely to a hard reset of the router. It can be a pain, because you may need to reset any custom settings you've done with your router, and maybe re-connect various wireless devices. But, certainly worth the trouble, I think.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: Security Advisory for VPNFilter Malware on Some Routers
I would do the hard reset first. Then, change both your User Name (which by default on all wireless routers is "ADMIN"), as well as the password. I just tape both of those things onto the bottom or top of my router. That way, you're totally clean, and no way the virus would have any access to either.