Written by Ivan Belcic
Published on November 5, 2020

The growing threat of router malware

(Go directly to our section on how to get rid of viruses and malware from a router.)

Over the past few years, cybersecurity researchers have started to discover malware that can directly affect routers. One notable example is 2016’s Switcher Trojan, which hijacked victims’ Android devices to manipulate their router settings.

This article contains :

    Once installed on a victim’s phone, the Switcher Trojan router malware would try to gain access to the router through a brute-force attack, which is when a hacker tries to infiltrate a system by trying tons passwords and login credentials with the aim of eventually hitting on a match. (That’s why it’s so important to protect your router with a strong and unique password.)

    Having gained access to the router, the attacker would then change its DNS settings to redirect internet traffic to servers owned by the cybercriminals. This type of attack is known as DNS hijacking, and since a router infection can affect an entire network, any connected devices are at risk.

    VPNFilter is a more recent instance of router malware. Unlike Switcher, VPNFilter directly infected routers via a worm that targeted known security vulnerabilities, and victims could remove it only by performing a hard factory reset on their router. It’s estimated that by mid-2018, VPNFilter had infected over half a million devices around the world.

    In 2019, our threat experts here at AVG observed a spike in the use of the GhostDNS exploit kit to attack victims in Brazil. In these attacks, when a victim visits a hacked website, their traffic is redirected to another site that hosts the GhostDNS exploit kit. At this point, the exploit kit automatically identifies the router on the victim’s network and attempts to hack it. If it gains entry, it’ll alter the victim’s DNS settings so that they’ll be redirected to phishing websites in the future.

    So, can a Wi-Fi router get viruses?

    Like any other device with an operating system (OS), your router is vulnerable to malware, such as the VPNFilter and Switcher Trojan threats described above. While many routers use a Linux-based OS, some router manufacturers create their own. The 2018 cryptomining attack targeting MikroTik routers is a notorious example of how hackers create malicious scripts to target specific router operating systems.

    The biggest threat to your router is a weak password or other security vulnerability, such as an enabled WPS (Wi-Fi Protected Setup) PIN. It’s much easier to crack a PIN than a long and complex password.

    How much damage could router malware cause?

    If a hacker manages to infect or invade your router, the risks could be significant. A DNS hijacking attack on your router could affect any device on your network, as anyone using your network may find their internet traffic redirected to malicious websites.

    Some of these are traps designed to mimic trusted websites. You might think you’re entering your credit card number into your favorite ecommerce website, but you’re actually handing that information over to a hacker.

    Think of a router attack as giving a thief the keys to your home — everything on your network is in danger.

    Router hackers may also redirect your traffic to sites that run malicious scripts in your browser to steal your passwords as you enter them into the websites you visit. Some hackers may use these scripts in a cryptojacking attack, forcing your computer to mine cryptocurrency for them, which will slow your computer down, increase power consumption, and quickly drain your laptop’s battery.

    Another potential consequence of a router hack is an attacker gaining access to your Wi-Fi in order to spy on the traffic coming in and out of your network, from whatever device is connected to it. That includes your computers, your family’s phones, and any other connected devices in your home.

    Think of a router attack as giving a thief the keys to your home — everything on your network is in danger. A router hacker can use your router to help themselves to all the data on all the devices on your network, and install additional malware while they’re at it. That’s why improving your router security is the first step in surviving a large-scale cyberattack.

    How to tell if your router is infected

    You’re probably here because you think your router has a malware problem — let’s find out if your instincts are correct. Here, we’ll show you a couple of ways to check your router for malware.

    First, we’ll review several common symptoms that may indicate a malware infection on your router. Then, we’ll show you how to perform a quick Wi-Fi network safety scan with a dedicated router checker tool.

    Common signs to watch for

    The warning signs on this list may signal the presence of a router virus, other router malware, or DNS hijacking. Many instances of router hacking happen as a result of weak passwords or other inadequate security measures.


    Your internet starts running slower than usual

    Your router’s performance may decline as it struggles to deal with whatever internal problems it may have. If your internet suddenly slows down for no apparent reason, you may want to investigate to see if anything’s amiss with your router.


    Computer programs begin to crash randomly

    Router infections don’t necessarily limit themselves to your router. Many hackers will compromise your router as a means to infect your other devices (like your computer) with additional malware. Should your computer begin to misbehave, it might indicate that your network has been breached. In general, you can avoid performance issues like this by cleaning up your computer to keep it running lean and fast — but a dose of malware via an infected router can ruin all your hard work.

    Icon_03Fake antivirus messages appear as pop-ups

    Fake antivirus messages and other pop-ups are telltale signs of scareware and adware, respectively. Scareware attempts to coerce you into paying for often-useless antivirus software to protect your computer against a phony malware infection, while adware showers you in ads to generate ad revenue for its operator. Both scareware and adware are examples of malware that a hacker can place on your computer once they’ve compromised your router. If you’re noticing an uptick of ads while browsing, an adware infection could be the reason — treat it quickly with a dedicated adware cleaner tool.


    Your data becomes locked with ransomware

    In the list of obvious signs that something is wrong, this one might be number one. If a hacker has breached your router and landed a bit of nasty ransomware on your computer, that ransomware will make itself known immediately and unambiguously. Hopefully you never have to experience a ransomware attack, but if you do, get rid of it immediately with the help of a ransomware removal tool.


    Internet searches get redirected for no apparent reason

    This is one of the primary symptoms of a DNS hijacking attack. The attacker will reroute your internet traffic away from the websites you want to visit, sending you instead to sites and servers that they control. They’re hoping that you’ll inadvertently divulge some sensitive personal information or click an infected link that downloads malware to your device.


    Familiar sites look or behave differently

    Look for unexplained changes in familiar, well-known websites that you frequently visit. Does their URL begin only with HTTP, when it should have HTTPS certification? Do their sites suddenly look different? Are you seeing strange errors when trying to log in? Is your browser consuming an unusually large share of your CPU, causing your CPU fans to spin up loudly? Any of these signs can point to DNS hijacking.

    Icon_07Unknown software and toolbars are being installed

    Bloatware — and other unwanted software — is a common side effect of malware. Anytime you notice new software on your computer, or if your settings have been changed without your knowledge, consider that a red flag.

    Use a dedicated router virus checker

    AVG AntiVirus FREE can scan your wireless network to identify any vulnerabilities that may expose you to a DNS hijacking attack or malware infection.

    Here’s how you can use it to scan your Wi-Fi network:

    1. Open AVG AntiVirus FREE and click Computer under the Basic Protection category.

      Opening the Computer protection tools in AVG AntiVirus FREE for Windows 10

    2. Select Network Inspector. On the next screen, click Scan Network.

      Opening the Network Inspector cybersecurity tool in AVG AntiVirus FREE for Windows 10

    3. Choose the type of network you’re using: Home or Public.

      Choosing to scan a Home or Public network with the Network Inspector tool in AVG AntiVirus FREE for Windows 10

    4. After you make your selection, AVG AntiVirus FREE will start scanning your wireless network.

      Scanning a home wireless network with the Network Inspector tool in AVG AntiVirus FREE for Windows 10

    5. After the scan is complete, you’ll see a list of all the devices on your network. The list includes your router, your computer, your phone, and so on. Click the arrow next to any device to learn more about it — hover your mouse over the arrow to see the text show details.

      When you’re done, click Done.

      The results of a network scan using the Network Inspector tool in AVG AntiVirus FREE for Windows 10

    Network Inspector is just the tip of the feature iceberg when it comes to the full suite of cybersecurity protections you’ll enjoy with AVG AntiVirus FREE. Detect, block, and remove malware, keep hackers out of your devices, and avoid unsafe links and email attachments with a cybersecurity tool trusted by over 400 million users.

    Check your router’s DNS settings

    One obvious giveaway that your router has been compromised is if your DNS settings have been changed. You can check your DNS settings manually to confirm if everything is normal.

    1. From your browser, log into your router’s settings. You’ll find out how to do this in your router’s support documentation. 

    2. Find the DNS settings in your router menu. The exact location of these settings will differ from one router to the next, but try looking in the “internet” or “network” section.

    3. An “automatic” DNS configuration is a good sign — that means that your router is getting its DNS information directly from your ISP. That’s what you want to see.

      You may have previously set up your own manual DNS settings. If so, double-check that they’re still the same.

    4. But if it appears that your DNS settings have been manually adjusted, that may indicate the presence of router malware or other tampering.

    How to remove viruses and malware from an infected router

    If you think that your router has been affected by an attack, your next step is to remove the offending malware. But note that the procedures described below may vary in effectiveness, depending on both your router model and the type of malware you’re dealing with. 

    For example, VPNFilter can be removed with a simple factory reset. But the Switcher Trojan’s DNS manipulations can persist through a reboot. So even if you manage to restore your DNS settings, you might still be at risk. And since Switcher infects Android devices, not your router itself, you’ll need to remove the malware from your phone so it can’t infect your router a second time.

    Having said that, here’s how to remove a virus (or other malware) from your Wi-Fi network.

    1. Back up important data and files

    Before performing any sort of device reset, you should always back up your important data and files. If you haven’t already done so, back up your PC to an external storage device or to your cloud storage account.

    Resetting your router won’t affect the files on your PC, but as a general precaution, always back up your files.

    2. Perform a factory reset on your router

    A factory reset restores your router to the condition it was in when you got it. All your settings will be wiped, but hopefully, so will your malware infection. As mentioned, performing a factory reset is an effective solution against VPNFilter, because it removes the malware from your router.

    In most cases, you’ll perform the factory reset by depressing a small button on your router with a paperclip or other tiny object. Consult your user manual for specific guidance.

    3. Update your device password

    After the reset is complete, you’ll need to reconfigure all your settings, including your Wi-Fi network name and password. Your router’s login credentials will also have returned to their default settings. Since many types of router malware will use the default login info to access your router, now would be a great time to update your router username and password.

    By protecting your router with a strong and unique password, you’ll be well-insulated against any router malware that relies on default admin credentials to gain access.

    Install an antivirus with router security features

    Take your router safety a step further by safeguarding your Wi-Fi network with dedicated router virus protection. AVG AntiVirus FREE continually scans your home network to detect any vulnerabilities that hackers could use to break in. And we’ll alert you if and when any new devices join your network, so you’ll know right away if a hacker (or a hopeful neighbor) has decided to avail themselves of your network.

    Keep hackers out and protect all your devices with AVG’s industry-leading cybersecurity solution.

    Block security threats and protect your router with AVG Mobile Security

    Free install

    Remove malware and secure your router with AVG AntiVirus

    Free install
    Ivan Belcic