Updates About COVID-19 (Coronavirus) - Learn More

Your Router is Infected, and... You Don't Know It!

8/9/2018 - By Bob Woock, MCSE

It is possible your small office or household routers are being compromised without your knowledge with a new malware known as VPNFilter. 


Starting on May 23, 2018, the FBI and Justice Department asked the nation to reboot their routers.  This did not fix the problem and routers and firewalls are still very vulnerable.


Criminals can gain access to your router/firewall via this router malware:

  • Criminals can steal sensitive information
  • Manipulate what you see
  • Worm their way into your network
  • Install rootkits and more malware on your computers
  • Find who your key personnel and systems are in order to steal more things of value
  • Push ransomware or just damage data and systems.


Some router vendors have issued patches that need to be manually downloaded and installed.  You can check this list to see if your router is known to be vulnerable. However, the issuer of this list has stated, “Given our observations with this threat, we assess that this list may still be incomplete and other devices may be affected.”


Here is what we know.  The FBI and the Justice Department placed a nationwide call on May 23, 2018, for everyone to reboot their routers, which you can read here. It has since been found that this was a very temporary solution that only allowed the FBI to take down the primary command and control sites for a malware threat called VPNFilter.  The rebooting of routers assisted the FBI in finding these sites and stopping the primary push of the malware to your router.   What the reboot did not resolve was the ability to infect your router by other means using the same malware.  

The Cisco Talos Intelligence group, which is one of the world’s largest commercial threat intelligence teams, issued a follow up article explaining the continuing threat. In the article, which is very technical, they describe several stages to the exploiting of common household and small business routers.  What was found after the reboot of routers, as requested by the FBI, is that the infection/exploit remains on the router in what is called stage 1.  If the stage 1 infection cannot find the command and control sites, it goes into listening mode.  Meaning your router is still infected and is now listening for additional commands. 

Initially the FBI thought these routers were only being used to attack other systems.  But now it has been found that the listening mode allows criminals to gain access to your router, and they can install additional features that allow them to do what is called man-in-the-middle attacks which can steal sensitive data and manipulate the information you see.  

Talos senior technology leader Craig Williams in an interview with Ars TechnicaOne described it like this, “They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money…. They can manipulate everything going in and out of the device.”  Once in the router, criminals would be able to deploy any desired additional capability into your network environment to support their goals, including rootkits to take over your computers, stealth monitoring of your network to learn about key personnel or systems and destructive malware.


We recommend using Sonicwall, pfSense, or Unifi USG router/firewalls instead of the common off-the-shelf routers.  These router/firewalls can update themselves or are easily monitored by our network operations center, so they can be kept up to date.  These systems also come with Intrusion Protection and Detection Systems and GEO-IP filters that add many layers of protection to keep bad guys out of your router and your network.

If you have any questions, call our team at (800) 477-7458 or email us to receive a quote and assistance in creating and setting up a Cybersecurity plan for your business.

Additional Articles

About the Author | Bob Woock, MCSE
Bob is a manager in the Information Technology Services Department of Saltmarsh, Cleaveland & Gund. His primary areas of experience include providing managed IT services for medium and small businesses across various industries such as manufacturing, accounting, and healthcare. He has over 30 years of IT experience working in database and network administration as well as cyber security, both in the private sector and with the United States Marine Corp.

View Full Bio

Related Posts

Contact Us

(850) 243-6713

(407) 203-8990

(615) 661-0885

(850) 435-8300

(813) 287-1111

(800) 477-7458

Stay Connected

Sign up to receive updates and important information from Saltmarsh!