How to get rid of VPNFilter malware (even though you don’t know if your router is infected)

Ars Technica reported today that the VPNFilter malware targets a much larger number of devices than previously thought (200,000 additional routers were added to the initial estimate of 500,000). And it is more powerful than revealed in original analysis.

VPNFilter’s elaborate design involves three stages. Stage 1 acts as a backdoor that uses a sophisticated mechanism to locate stage 2 and stage 3 payloads and installs them. FBI’s seizure of a command and control server might have stopped some ways to deliver stage 2 and stage 3 payloads, but did not stop the spread of the malware.

A router reboot, as initially recommended by the FBI, will remove stage 2 and stage 3 payloads, but will not get rid of the stage 1 backdoor. The possibility exists that even a router factory reset may not get rid of stage 1 completely.

How do you know your router is affected? A list of affected router models is available here. But keep in mind that the list is growing. The list today is much longer than it was just a few days ago.

There’s no easy way to tell if your router is infected. If you have any suspicion that your router might be infected, you might as well perform the procedure to get rid of it as if there is an infection. Here’s our recommendation on how to completely get rid of VPNFilter:

Preparation: find out how to upgrade firmware for your router (read the manual, search the web, or simply poking around the router management console). Download the latest firmware image for your router from the router manufacturer’s official web site. Make sure you are using HTTPS and see the green lock on the left of the URL address bar. Disconnect the router from the Internet, and keep it disconnected for the rest of the steps. Factory reset your router. The procedure is different for different routers, but usually involves holding down the small “Reset” button and doing something. Read the manual. Connect a PC, preferably by wire, to the router. Upgrade the firmware with the image downloaded in Step 2. After the router reboot, change the router password. Choose a strong password. Double check that remote management is turned off. It should be off by default, but verify anyway. Reconnect Internet.

After reconnecting your router to the Internet, do these 4 checks to make sure that your router is reasonably safe.