Skip to content
Skip to main content

Someone’s attacking our connection to the internet - part one

Updated Tuesday, 29 May 2018
The innocent blinking lights on your router in the corner might not be so innocent after all...

This page was published over 6 years ago. Please be aware that due to the passage of time, the information provided on this page may be out of date or otherwise inaccurate, and any views or opinions expressed may no longer be relevant. Some technical elements such as audio-visual and interactive media may no longer work. For more detail, see how we deal with older content.

Netgear R7000 router The Netgear r7000, one of the routers which has been affected

On Wednesday 23rd May, researchers working for the networking company Cisco, warned that more than half a million routers in 54 countries had been infected by malware known as VPNFilter.

Routers allow computers on local area networks to connect to the internet; you will have a small router (properly known as a modem router switch) at home to link your computer to a phone socket; and it is precisely these consumer items that have been targeted by VPNFilter.

Whilst it might look like a simple box with a few blinking lights on it, a router is a computer; it runs software – known as firmware; and this software can be compromised by the writers of malicious software. Router firmware is a tempting target for attackers since it is widespread, rarely updated and many users never change the default settings that make their routers possible.

VPNFilter attacks consumer routers made by Linksys, MikroTik, Netgear, TP-Link, and on network-attached storage devices from QNAP. The security company Symantec has provided a full list of affected routers.

VPNFilter is a sophisticated piece of malware clearly developed by skilled programmers. It is composed of three Stages.

Stage 1

The first Stage infects devices running particular firmware and then attempts to download further software from the Internet. It does this by downloading an image from the website.

The image itself is not important, but the data associated with the image is. Like most digital photos, the image has associated EXIF data usually used to store information about the type of camera and lens used to take the photo, the exposure settings, the location and so on. This image contains fake EXIF longitude and latitude data; VPNFilter extracts six numbers from this fake EXIF to form a valid IP number – the address of a computer on the Internet. In case the malware cannot connect to, it will attempt to recover an image from a site called

Once VPNFilter has the IP number of the remote computer, it begins listening for instructions including downloading the Stages 2 and 3 of the malware.

Stage 2

Stage 2 consists of a number of programs used to collect data from the router’s network. It steals files and sends them to its controllers as well as performing commands that can affect the operation of computers. Stage 2 also contains a ‘self-destruct’ feature that can render a router useless by overwriting a crucial piece of firmware.

Stage 3

Stage 3 is thought to contain at least two main components. The first is called a ‘sniffer’ which records traffic passing over a network; most notably website credentials and commands for industrial devices connected to the network. The second known component appears to allow information stolen by Stage 2 to pass over the highly-secure Tor network.

Stopping VPNFilter

On Thursday 24th April, the FBI announced that it had ordered the company Verisign to turn control of the domain over to the Agency. The FBI had then disabled the pages used by VPNFilter to download Stages 2 and 3 of the attack. The FBI turned into what is known as a sinkhole – infected machines can still make requests from the site for Stages 2 and 3, but they will never be answered. At the same time, the images hosted by were also removed; effectively decapitating VPNFilter.

These actions may have prevented VPNFIlter from infecting new routers; but it would not help people who have already been infected. The FBI advised users of the targeted routers to reboot their devices by turning the power off and on again. This has the effect of disabling the most dangerous Stages 2 and 3 of the malware, rendering it temporarily harmless. On restarting, Stage 1 attempts to connect to or in order to recreate the entire program, but with both sites now disabled, this effectively stops the infection.

If you want, you can completely remove VPNFilter from the router by performing what is known as a hard (or factory) reset of the router. This usually involves pressing a reset button on the back of the router – consult your router manual for instructions on how to do this. Before completely resetting your router, you should write down any custom settings – such as your WiFi network name and any instructions for connecting to your Internet Service Provider as these will be erased during the reset.

The FBI recommends all users should take further steps to safeguard their routers. To do this, you will need the documentation that shipped with your router and use the instructions there to connect to the router’s own management page. From there, you should:

  1. Update the router to the latest version of firmware (if available)
  2. Disable remote management of the router
  3. Change the router’s password to a new, stronger password.

So that’s what VPNFilter is – next time we’ll look at who might have created it and what it was for…


Become an OU student


Ratings & Comments

Share this free course

Copyright information

Skip Rate and Review

For further information, take a look at our frequently asked questions which may give you the support you need.

Have a question?