Preventing the Next VPN Filter Bot-Net Attack

Back on May 30, 2018 the FBI asked us all to reboot our Internet access devices, the cable and DSL modems that allow most of us to use the Internet.  Supposedly, this would remove the VPN Filter malware, if our router was infected.  This was not exactly the truth.  The FBI had taken over the “toknowall” command and control server for the VPN Filter botnet, so the threat had already ended.  What they really wanted from the voluntary reboots was to see how many routers would reconnect to the “toknowall” server.  A staggering half-a-million routers from 54 countries reached out to reconnect.  So if your router was infected before, it is still infected today.

The VPN Filter botnet was assembled over the last two years, and has been attributed to the same Fancy Bear group from Russia that hacked the DNC during the last election, and has been accused of hacking the Ukrainian and US electric grid.  There is a great article by Bruce Schneier in the Washington Post that goes into more detail.

So what can you do about it? The first problem you face is that the cable or DSL “modem” that is your Internet gateway router is probably owned by your ISP.  You pay what is basically a lease as part of your monthly cable and Internet bill.  There are routers that can be purchased at electronic retailers that are compatible with your ISP’s network.  Owning your own would give you full access to the configuration interface, which is important if you want to really fix your router and remove this malware.  You have basically four options, that we will call “Bad, Good, Better, Best.”

  • Bad – Just keep rebooting your router now and again.  Since this does not really fix anything, it is a bad solution.  The problem here is that the underlying vulnerabilities have not changed, and there will be another variant of this exploit that will establish itself in your router.
  • Good – Reset your router to the manufacture’s default settings.  Find the visible reset button or the little pinhole that allows you to push the hidden reset button with a paper clip.  This is usually on the back of the router near the power connection.  See your manufacturer’s website for specific instructions.  Resetting to the manufacturer’s default settings will remove any installed malware.  Then you need to go through the process of configuring the router for your network again,which may be a bit of a challenge if you are not an IT professional or technically gifted.  Again, follow the manufacturer or ISP instructions.  Although this is a good solution, we still have the underlying vulnerabilities that have not changed, and there will be another variant of this exploit that will establish itself in your router
  • Better – A better solution would be to download the latest firmware upgrade from the manufacturer’s website, and upgrade or “flash” the firmware.  If the firmware upgrade is reasonably current, it hopefully will add some additional security options to close the vulnerabilities that previously allowed your router to be hijacked.  Again, follow the manufacturer’s instructions.  You may want to get professional help for this process, because if anything goes wrong, your router will be inoperable.  Permanently.
  • Best – The best solution is to ditch your current router and replace it with a new one that has improved security and is not vulnerable to this attack.  If you are renting your router from your ISP, this option may be difficult to achieve.  When you return the old one, you may just get a new router of the same model in return.  Explain what you are trying to achieve, and see if the ISP can offer a solution.  Or ask if you can provide your own router, and get a list of compatible routers.  Be sure to have them remove the monthly rental fee for the current router.

Following the suggestions in this article, you should be able to defeat the VPN Filter malware, at least until the next version appears.

More information:



About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.