Can there be viruses in the router? Avast writes that the router is vulnerable, infected, or configured incorrectly

Your router is one of the weakest links in your security and researchers have proven it once again.

Sixty security flaws were found in 22 router models around the world, mostly those provided by Internet service providers. These vulnerabilities could allow hackers to hack devices, change passwords, and install and execute malicious scripts that change DNS servers. This way, hackers can redirect you to malicious sites or download malicious code onto your computer when you visit official web pages.

The vulnerabilities also allow hackers to read and write information on USB storage devices connected to a compromised router.

The study describes how attackers can gain access to PCs - namely, through a backdoor with a universal password that is used by technical provider staff to remotely assist customers over the phone. This second access with administrator rights is hidden from the router owner by default.

What router models were tested?

The researchers tested the following models: Amper Xavi 7968, 7968+ and ASL-26555; Astoria ARV7510; Belkin F5D7632-4; cLinksys WRT54GL; Comtrend WAP-5813n, CT-5365, AR-5387un and 536+; D-Link DSL-2750B and DIR-600; Huawei HG553 and HG556a; ; Netgear CG3100D; Observa Telecom AW4062, RTA01N, Home Station BHS-RTA and VH4032N; Sagem LiveBox Pro 2 SP and Fast 1201 and Zyxel P 660HW-B1A.
Since the researchers are from Madrid, the main target of their research was routers that are provided by Spanish Internet providers, but Linksys, D-Link and Belkin are widely used in Russia and other countries.

How can you protect your router?

All Avast antiviruses have a built-in Home Network Security (HNS) feature that scans for poorly configured Wi-Fi networks, indicating weak or default Wi-Fi passwords, vulnerabilities in the router, hacked Internet connections, and enabled but not protected IPv6 protocol . This feature also shows a list of devices connected to the network, which will help you control that only devices you know are connected to your network. Avast is the only information security company that offers the ability to protect this area.

How to scan your home router with Home Network Security?

Open the Avast user interface, click the Scan button from the left menu, then select Network Threat Scan.
Avast will scan your router and provide a report on the threats found. In most cases, if a threat is detected that requires your attention, Avast will direct you to the router manufacturer's website.

This may seem strange to you, but there are viruses that infect not computers, laptops, or mobile devices, but routers.

Why do this? Then, although your router does not store any valuable information, access to this device will allow you to change the DNS server settings. This, in turn, will allow scammers to forward some of your requests to fake sites, where you will enter sensitive information useful to the scammers. Many router models are susceptible to infection; it makes no sense to give a list, since it can be constantly updated. For your safety, I recommend with recommendations that will allow you to avoid infection.

How does the virus work?

Your computer becomes infected with a virus called Win32.Sector. That, in turn, downloads Trojan.Rbrute from a special server, which searches for routers on the network and tries to gain access to the configuration. After gaining access, he changes the current DNS addresses registered in the router to his own. Then, all devices connected to the router end up on the page from which Win32.Sector is downloaded.

• The “Internet” icon is lit, but you can’t get to most sites or the wrong sites load that you wanted to open
• Strange websites open spontaneously
• The computer cannot obtain an IP address from your network (it is assigned an address like 169.254.xxx.xxx of the Microsoft subnet)

How to remove Trojan.Rbrute virus from a router?

1. First, you need to reset your router to factory settings. To do this, press the “Reset” button on the back panel of the router and wait 10 seconds until the router blinks all the indicators and reboots.

2. Go to the admin panel of the router and change the standard password for access to the admin panel to your own, preferably a more complex one.

3. We configure the router again, check whether the Internet is working properly.

4. From the official website of the router manufacturer, download the latest firmware for your model and flash it. Most likely, in the latest firmware version, the holes through which attackers gained access to the router settings are closed.

5. After this, we check the computer for malware to exclude the possibility that WinSector or Trojan.Rbrute remained on the computer’s hard drive. You can do this using free tools from the article.

I hope my article helped you =)

Until recently, I didn't even know that Avast router scares its users with "scary" warnings regarding their routers. As it turns out, Avast antivirus scans Wi-Fi routers. It gives results that the router is not configured correctly, the device is vulnerable to attacks, or in general that the router is infected and infected, and attackers have already intercepted DNS addresses and are successfully redirecting you to malicious sites, stealing credit card information, and everything is very bad in general. All these warnings, of course, are seasoned with a dangerous red color and confusing instructions that even a good specialist without beer will not understand. I'm not even talking about ordinary users. This is what the problems found on the D-Link DIR-615 router look like:

The device is vulnerable to attacks:

The solution is, of course, updating the router firmware. Because what else 🙂 Avast can also display a message that your router is protected by a weak password, or the router is not protected from hacking.

In some cases, you may see a message that your router is infected, and connections are redirected to the malicious server. Avast antivirus explains this by saying that your router was hacked and its DNS addresses were changed to malicious ones. And there are instructions for solving this problem for different routers: ASUS, TP-Link, ZyXEL, D-Link, Huawei, Linksys/Cisco, NETGEAR, Sagem/Sagemco.

In short, all these recommendations are aimed at checking DNS addresses and DNS-related services. Through which attackers can change the DNS on your router and redirect you to their malicious sites. There are detailed instructions on how to check everything on routers from different manufacturers.

How to respond to warnings from Avast about a router vulnerability?

I think this question interests everyone. Especially if you came to this page. If you are wondering how I would react to such warnings from the antivirus, then the answer is simple - not at all. I am sure that Avast would have found holes in my router through which I could be hacked. I just have Dr.Web. He doesn't do such checks.

Maybe I'm wrong, but no antivirus other than Avast checks the Wi-Fi routers you are connected to for various types of vulnerabilities. And this feature, called Home Network Security, appeared back in 2015. In Avast 2015 version.

Avast scans your router for device security issues. Although, I don't fully understand how he does it. For example, how does it check the same password for entering the router settings. Does it follow the user, or is it a selection method? If you guess it, the password is bad 🙂 Okay, I’m not a programmer.

Personally, I believe that all these warnings are nothing more than simple recommendations to strengthen the security of your router. This does not mean that someone has already hacked you and is stealing your data. What Avast offers:

• Set a good password and update the router firmware. They say otherwise you may be hacked. Ok, this is already clear. This doesn't have to be signaled as some kind of terrible vulnerability. Although again, I don’t understand how the antivirus determines that the router software version is outdated. It seems to me that this is impossible.
• The router is not protected from connections from the Internet. Most likely, this warning appears after checking open ports. But by default, the “Access from WAN” function is disabled on all routers. I highly doubt that anyone will hack your router over the Internet.
• Well, the worst thing is the substitution of DNS addresses. If any problems with DNS are detected, Avast directly writes that “Your router is infected!” But in 99% of cases this is not the case. Again, almost always the router automatically receives DNS from the provider. And all functions and services through which attackers can somehow spoof DNS are disabled by default. It seems to me that very often the antivirus misunderstands some user settings.

Something like that. Of course, you may disagree with me. It seems to me that it is much easier to access the computer directly and infect it than to do it with the router. If we are talking about an attack via the Internet. I would be glad to see your opinion on this matter in the comments.

How to protect your router and remove the warning from Avast?

Let's try to figure out each item that Avast most likely checks and issues warnings.

• The router is protected with a weak password. No encryption. In the first case, the antivirus has a password that you must enter when entering the router settings. Typically, the default password is admin. Or not installed at all. And it turns out that everyone who is connected to your network can go into the router settings. Therefore, this password needs to be changed. I wrote how to do this in the article: . As for the Wi-Fi network password, it must also be strong, and the WPA2 encryption type must be used. I always write about this in instructions for setting up routers.
• The router is vulnerable due to old software. This is not entirely true. But, if there is new firmware for your router model, then it is advisable to update it. Not only to improve security, but also for more stable operation of the device and new functions. We have instructions on our website for updating software for routers from different manufacturers. You can find it through the search, or ask in the comments. Here it is for .
• DNS settings have been changed. The router is hacked. To be honest, I have never seen such cases before. As I wrote above, all services through which this can happen are disabled by default. Most often, the router receives DNS from the provider automatically. The only thing I can advise is not to manually enter DNS addresses that you are not sure about. And if you manually specify addresses, it is better to use only DNS from Google, which: . This is also recommended in Avast recommendations, which can be viewed on the official website:. There are detailed instructions for solving DNS problems for almost all routers.

That's all. I hope I was able to at least a little explain these warnings in Avast antivirus. Ask questions in the comments, and don’t forget to share useful information on this topic. Best wishes!

In light of the increasing number of cases of DNS substitution by malware on Internet users’ devices, the question of the security of Wi-Fi routers arises. How to check your router for viruses? How to remove a virus from a router? The question is complex and simple at the same time. There is a solution!

The virus itself cannot record itself on most modern routers due to the small space in the memory of the router itself, but it can zombify the router to participate in a botnet. As a rule, this is a botnet for attacking various servers, or for redirecting and analyzing the flow of information leaving you on the Internet.

Your passwords and personal correspondence could fall into the hands of attackers!

This needs to be fixed as quickly as possible.

• Resetting the router
• Router firmware
• Resetting

Resetting the router

You can reset the router settings by pressing the reset button. Usually this button is located on the back of the router, where the LAN ports are. Usually the button is recessed into a hole to avoid accidental pressing, so you have to use a toothpick. This will delete the router settings changed by the virus and install the factory settings in their place. I must warn you that if you do not know how to configure a router, then reset its settings for you not worth it!

Router firmware

Sometimes the virus "floods" modified firmware to the router. To remove virus firmware from the router, you can flash the router again.

Connect the computer to the router with a LAN cable. A LAN cable is included with any router. Or via Wi-Fi if a cable connection is not possible. It's better to connect with a cable! The wireless connection is considered unstable and is not suitable for updating the router firmware.

After we have connected to the router, open the browser (Chrome, Opera, Mozilla, IE) and enter the address of the ASUS router in the address bar, for Asus it is 192.168.1.1, on the page that opens you will need to enter your login and password to enter the router settings. Login: admin, Password: admin. If the login and password do not match, then ask the person who set up the router for you, perhaps he changed them.

Download the firmware from the manufacturer's website and select the firmware on the disk using the router settings page. For the vast majority of routers, the firmware steps are the same.

VPNFilter is a threat that affects a wide variety of router and network attached storage (NAS) models. VPNFilter can collect sensitive information and interact with network traffic, as well as disrupt the operation of the router. This malicious program calmly survives a router reboot.

Symantec offers a free online tool to quickly check your router for VPNFilter infections.

Important information

The online tool checks whether your device has been compromised by a VPNFilter component known as the ssler plugin. If your router is not infected with the ssler plugin, it may still be compromised by other threats or VPNFilter components.

If you are concerned or suspect that your router is infected with VPNFilter, you should follow the recommendations below.

What to do if infected

If you are concerned that your router is infected with VPNFilter, we recommend following these steps:

1. Reset your router to restore factory settings. Save your router configuration first, as you will need to reconfigure it afterwards.
2. Turn off and restart your router. Please note that simply restarting your router without first performing a factory reset will not remove VPNFilter.
3. Change the administrator password for your router to a more secure one. If possible, disconnect your router from the Internet while performing this step.
4. Install the latest updates and firmware for your router.