The US Federal Bureau of Investigations has recommended that router owners (that is, pretty much everyone with a fixed line internet connection) take a moment out to reboot their device following the discovery of a major botnet affecting consumer router models.

The botnet was created by malware called VPNFilter that infects common router models, and is currently estimated to be roughly 500,000 devices strong.

VPNFilter is one of a new breed of malware that targets internet of things (IoT) devices – in this case the routers that control the flow of traffic across the internet.

“VPNFilter malware is another clear demonstration of rather philosophical paradigm: the more IoT devices we have helping us out in our daily lives, the more advanced the CPUs become, driving our routers, cars, or refrigerators (you name it), the bigger an attack surface becomes,” noted Sophos in a blog post.

The good news is that the command and control domain was shut down by the FBI last week.

The domain,, was the controlling domain for infected devices.

With the domain disabled, infected devices should not find a command and control centre to dial into, and the malware is effectively neutered.

Nonetheless, the FBI recommends that all router owners perform a reboot of their device immediately.

According to the FBI, this will remove currently running malware processes from the affected routers.

With the command domain disabled, the malware won’t be able to fully restart, since it requires a call to the control domain to initiate the payload.

After the reboot, many router vendors are recommending that users update their router firmware and change the password.

The FBI also recommended that users disable remote management on their routers.

Anatomy of an attack

The VPNFilter malware is believed to have been developed by Russian hacking group Fancy Bear, also known as APT28, which has been linked to the Russia’s military intelligence group, the GRU.

This is the same group that is linked to the hacking of the email accounts of Clinton campaign members during the last US presidential campaign.

Although the malware is affecting routers globally, the majority of infected routers are located in the Ukraine.

The attack itself is a multistage worm that affects certain devices running Linux and its derivatives.

This includes routers from Netgear, Linksys, TP-Link and NAS devices from QNAP.

The first stage is a “bootstrap” that persists between router reboots and reaches out and downloads the rest of the malware from outside servers (which have now been blocked at the DNS level).

The second stage is the executable payload, which does not persist between reboots.

According to Cisco’s Talos Intelligence Group, the malware itself then gives almost complete control over the device to the hackers.

“This malware is used to create an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs of the threat actor,” Cisco reported in a blog post.

The capabilities of the malware include the ability to route and intercept traffic (including passwords entered into unencrypted web pages); the ability to corrupt the firmware and brick the router; and the ability to execute arbitrary code on the router.

“Since the affected devices are legitimately owned by businesses or individuals, malicious activity conducted from infected devices could be mistakenly attributed to those who were actually victims of the actor,” the post also noted.