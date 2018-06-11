The ASUS RT66U router, one of the devices known to be vulnerable to VPNFilter.

A recent discovery that new router-based malware, known as VPNFilter, had infected well over 500,000 routers just became even worse news. In a report expected to be released June 13, Cisco states that over 200,000 additional routers have been infected and that the capabilities of VPNFilter are far worse than initially thought. Ars Technica has reported on what to expect from Cisco Wednesday.

VPNFilter is malware that is installed on a Wi-Fi router. It has already infected almost one million routers across 54 countries, and the list of devices known to be affected by VPNFilter contains many popular consumer models. It's important to note that VPNFilter is not a router exploit that an attacker can find and use to gain access — it is software that is installed on a router unintentionally that is able to do some potentially terrible things.

VPNFilter's first attack consists using a man in the middle attack on incoming traffic. It then tries redirecting secure HTTPS encrypted traffic to a source that is unable to accept it, which causes that traffic to fall back to normal, unencrypted HTTP traffic. The software that does this, named ssler by researchers, makes special provisions for sites that have extra measures to prevent this from happening such as Twitter.com or any Google service.

Once traffic is unencrypted VPNFilter is then able to monitor all inbound and outbound traffic that goes through an infected router. Rather than harvest all traffic and redirect to a remote server to be looked at later, it specifically targets traffic that is known to contain sensitive material such as passwords or banking data. Intercepted data can then be sent back to a server controlled by hackers with known ties to the Russian government.

VPNFilter is also able to change incoming traffic to falsify responses from a server. This helps cover the tracks of the malware and allows it to operate longer before you can tell something is going wrong. An example of what VPNFilter is able to do to incoming traffic given to ARS Technica by Craig Williams, a senior technology leader and global outreach manager at Talos says: