This article is more than 1 year old

Dr Symantec offers quick and painless checkup for VPNFilter menace on routers

Traffic-fiddling malware may have met its match

Clean-up efforts to respond to the VPNFilter malware have accelerated with the release of a free check-up tool.

Even though the utility from Symantec only looks to see if traffic has been manipulated, rather than confirming an infection, third-party experts have nonetheless welcomed its release.

VPNFilter, discovered by security researchers at Cisco Talos in May, is estimated to have hijacked half a million IoT devices such as routers and network-attached storage (NAS) devices.

The malware is capable of infecting enterprise and home routers, snooping on encrypted web traffic, and establishing a backdoor on compromised devices allowing them to be remotely controlled. How exactly the nasty gets onto devices depends on the firmware and model: it is believed to exploit known vulnerabilities in the gadgets' firmware, and weak security settings, such as remote administration features left open to the internet. The full list of impacted routers is available via Symantec here.

VPNFilter installs a plugin that monitors and modifies web traffic sent through the infected router, allowing cybercriminals to inject malicious content, render routers inoperable, or steal passwords and other sensitive user information. The botnet also presents a clear and present danger to internet hygiene more generally since it may easily be turned into a powerful DDoS tool.

VPNFilter logo by Talos

VPNFilter router malware is a lot worse than everyone thought


Mirai – another IoT botnet – was infamously abused to take out DNS service Dyn in an attack that left many high-profile websites unreachable back in October 2016.

Symantec has developed VPNFilter Check, a free online tool to help individuals and organisations quickly determine if their router might have been compromised by the VPNFilter malware.

More precisely, VPNFilter Check ascertains if traffic into either a home or corporate network is being altered by an infected router.

"This malware is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot," said Stephen Trilling, senior vice president and general manager, security analytics and research, Symantec. "Symantec's online VPNFilter Check tool provides individuals and organizations with an easy way to determine if their routers have been compromised by this threat, and suggests steps they can take if infected."

Antivirus industry veteran Vesselin Bontchev told El Reg that the tool detects if VPNFilter is messing with a connection without providing confirmation whether or not an IoT device is infected.

"It won't detect VPNFilter in the router in general, it will only detect if something is messing with the HTTPS connection," Bontchev explained.

"One component of VPNFilter (which is not always present) can do that. If it is there and if it is active, the degrading of HTTPS to HTTP that it performs will be detected." ®

More about

More about

More about


Send us news

Other stories you might like