Russian infected Routers - What to do?
The FBI released information last week suggesting that home users and small business owners should reboot their firewall routers and possibly reset them to factory default. This suggestion comes on the heels of a malware discovery that has compromised a suspected 500,000 devices around the world. I haven't weighed in on this before now because I had not found any research yet that described the actual processes of the infection. They finally released some information that I can pass on without causing some sort of mass hysteria.
The malware infection seems to be affecting certain types of small business and home router/firewalls. This is a list of definitely-affected devices. If you have one of these at your home, then you will need to reboot the device, set it back to factory default, then download and install the latest version of firmware for it. ...of course, the investigations I read would not confirm that this removes the malware for good.
Linksys E1200
Linksys E2500
Cisco/Linksys WRVS4400N
Netgear DGN220
---The following are Nighthawk models
Netgear R6400
Netgear R7000
Netgear R8000
---These are not Nighthawks
Netgear WNR1000
Netgear WNR2000
TP-Link TL-R600VPN SafeStream VPN Router
MicroTik Cloud Core Routers
QNAP TS-251
QNAP TS-439 Pro
I believe that the remote management component would have had to be activated for the device to be vulnerable, but I haven't found anything to completely corroborate my belief. Netgear has said that users need to make sure that the remote management option is disabled on their devices. It is disabled by default and we don't turn it on for anyone. They also say to change the default password on the device. We have done that for any device that we put in place for a home client.
This is a link to Netgear's advisory on the issue:
Some of these devices have a cloud component that can share USB drives that are connected to it over the Internet. That could also be a source of the infection. I don't know any client that we have that uses that at home, but if you do, I would suggest disabling it. It would not be enabled by default.
Finally, it is possible that other devices could be affected by this malware. Until I read a true description of the infection process, I can't say for sure. The suggestion from the FBI has two goals. One is to try and fix your device so that it is no longer infected. A simple reboot of the device, though, should send out a request to the command and control system for the malware infections. The FBI is hoping that they can track the requests from the devices to determine if there are more command and control systems out there that they do not know about. ...so, the first request, to reboot the device, is simply for the FBI to be able to trace the infection command and control systems. Resetting the device to factory default and installing new firmware are the steps to remove the infection.