FBI is warning the general public to reboot their router on a consistent basis due to a malware that can infect your router. Guess what? It’s true! Recent anti malware sleuths have uncovered a malware that is infecting your business or home router. It gains access to your router and installs itself in 3 stages:

  1. Stage one the malware installs itself on the router and makes itself persistent, meaning it will not come out even with a router reboot.
  2. Stage two is activated with stage one has been completed successfully. In this stage the malware installs the capacity for it to execute commands, collect files, and manage the router itself. It has so much control that it can permanently damage the routers system files essentially making the device useless and repairable. It can do this on command if required.
  3. Stage three activates after stage two completes. This acts as a plugin and installs on top of stage three. This allow hackers to look inside the packets being passed through the router and capture data being transferred. It also allow stage two to communicate of TOR. More info on TOR here.

The FBI is telling people to reboot their routers often as stage two and three can reset with a reboot. But this doesn’t mean its gone. Stage one can live through the reboot but can reinstall stage two and three over time.

So what can be done?

Make sure your routers firmware is always up to date. Disable remote management settings as well. Your credentials may have already been leaked out and disabling this will stop future attacks from reaching your PC and other devices. If you find yourself with this malware the easiest thing to do is a factory reset. The malware cannot survive this type of wipe.

These routers have been identified as being vulnerable to this attack:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN”

Here is Canada our homes and small business offices have a dynamic IP address which means it changes within a certain amount of time making it harder for them to find you when it does. This is a good defense. However some of you may pay to have a static IP which means it never changes.

If you find you have one of the devices above and don’t know how to check it can your local IT shop or contact us here at By The Byte.

This has been around since 2016 but due to the number of infections the FBI has gotten involved.

Regards,

By The Byte