Last Updated: 2018-05-31 13:17:16 UTC
by Johannes Ullrich (Version: 1)
You probably heard the advice given earlier this week to reset your router due to some malware referred to as "VPNFilter" infecting a large number of routers. I do not want to second guess this advice, but instead, outline a couple of issues with "resetting" a router.
First of all: Pretty much all router malware (Mirai variants, TheMoon and various Linux Perl/bash scripts affecting routers) will not survive a simple power cycle of the router. However, the vulnerability that allowed access to the malware will. Secondly, some configuration changes may survive. In particular changes to DNS settings that are often done without actual malware, but by using CSRF vulnerabilities in the routers web-based admin interface.
My main problem with having thousands of users reset their routers to factory default settings is that they inadvertently may reset it to use a simple default password.
So here are some generic step-by-step instructions on what to do:
- Write down any important configuration changes that you made to the router. For example any changes to the default IP addresses or DNS settings. Safe any VPN connection settings that you need. In addition, backup your configuration via the router's admin interface as a backup, but we do not expect to use it (you do not want to restore any compromised settings)
- Download the latest and greatest firmware for your router. Even if you think you already run this particular version. Verify the firmware's integrity, which can be difficult. But maybe some vendors publish hashes. I do not think any vendor publishes PGP signatures. If you can not find a legit way to verify the integrity, then download it several times, using different networks, and different devices and compare hashes. Just for giggles: Call the manufacturers customer support number and ask for the hash. Maybe they will publish them if enough people complain. Most routers will do some integrity checking before applying the firmware but remember, we assume the router is compromised. Also, try to avoid the built-in "self-update" or "auto update" at this point.
- Disconnect the router from the internet (unplug the network cable).
- Reboot the router
- Reset the router to the factory default settings. It is very important that you do this while the router is disconnected from the internet. It will likely reset the router to use some simple default password. Keep the router disconnected from the Internet.
- Apply the latest firmware. Some routers may refuse to do that if they already have this version installed.
- Configure your router using the notes you took in step 1. A couple of points to consider:
- set a strong admin password
- make sure the password is required if you access the router locally.
- Disable all remote admin interfaces (http, telnet, ssh...) unless you really really really need them (and if you do: consider using the router as a VPN endpoint if you can)
- if possible, change the administrator user name
- change the IP address scheme. For example, instead of 192.168.1.0/24, use 10.123.21.0/24 (pick random octets). It doesn't do much, but every bit helps.
- If you do not like your ISPs default DNS server, then pick some of the known good public once (Google, OpenDNS, Quad9, Cloudflare ...). Maybe mix two of them by using 220.127.116.11 and 18.104.22.168 ?
- If you are really paranoid, then repeat the steps.
- If you are not so paranoid (brave?): reconnect the router to the internet.
- Post the firmware checksum to any support forums to help others verify their firmware (or learn that your firmware was compromised)
For a simple reset that will take care of > 99% of malware I see on routers:
- Reboot the router
- Verify that you use a strong password (even for access from your own network)
- Disable remote admin features
- Verify the DNS settings