Malware infecting Home Office Routers

Blog / Malware infecting Home Office Routers

There’s a new bit of Malware out there that you may have heard of: it’s called VPNFilter.

What it does is take over your router (and some NAS devices), in order to monitor your traffic and steal information (login credentials, etc.)


The Malware works in 3 stages:

Stage 1 – A down-loader that connects back to the C&C Center (Command & Control Center), to download and install the rest of the Malware package. It could also be used to do absolutely anything to the device, as the Malware now has full control.

Stage 2 – Where the Malware gets your router to start sniffing your traffic and looking for information to steal.

Stage 3 – A plug-in that allows the Malware to communicate, using TOR (TOR makes the traffic near impossible to trace & track.) The name is derived from an acronym for the original software project name: “The Onion Router.”


What makes this Malware nasty, is that Stage 1 is persistent, as it loads itself onto your router and remains there even after a reboot.

The FBI has seized a domain involved in distributing the Malware.


US Justice department statement

Cisco’s Talos research group Blog


Here is the list of impacted hardware:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

The FBI is recommending that anyone with a low-end router or NAS reboot it.

As mentioned, this will not remove the Malware entirely, but it will set it back to stage 1 (if the device is infected.) Now, assuming the FBI has properly seized the domain, that means the Malware shouldn’t be able to progress to stage 2 or 3 (at least not until those who designed it find a way to exploit the Stage 1 infections in a different way.)

The only way to remove a Stage 1 infection is with a hard re-set to factory defaults. This usually means that you would need to flash the Firmware on the device.


TRINUS is recommending that everyone who runs any of the hardware featured in the list above, do the following:

  1. Reboot the device
  2. After the reboot, flash the firmware with the latest version from the vendor.
  3. Change any/all default logins


If you have any questions about VPNFilter, you can always reach out to your TRINUS Account Manager for some stress-free IT.

/Partners /Systems /Certifications

TRINUS is proud to partner with Industry Leaders for both hardware and software who reflect our values of reliability, professionalism and Client-focused service.