The malware affects routers, with more than 500,000 devices worldwide predicted to be infected.
It’s capable of monitoring traffic passing through the router and permanently corrupting the router’s firmware, effectively “bricking” it.
It also tries to downgrade encrypted HTTPS connections occurring through the router to unencrypted HTTP connections by changing the URL header, allowing the malware to monitor the contents of communications between users and servers.
It will then try to extract personal information sent through those connections, particularly financial and credit card information.
Lastly, it has the capability to clean itself completely from the router, destroying all trace of its existence.
Cisco has revealed that the number of devices that are vulnerable is much greater than previously thought with Asus, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti and ZTE devices all found to be vulnerable.
“In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support,” Cisco’s report noted.
“If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.”
Removing the malware remains a challenge.
Although the FBI has shut down the controlling domain, the stage 1 infection will likely remain on currently infected routers.
To completely remove the malware, users may need to perform a factory reset on their router followed by a firmware upgrade.
It’s also highly recommended that any remote management features be turned off.
List of vulnerable routers
RB Groove (new)
RB Omnitik (new)
Other QNAP NAS devices running QTS software
PBE M5 (new)
ZXHN H108N (new)