Can a Router Get a Virus?

Your router is vulnerable to viruses—so use a strong router password

A router is as vulnerable to being infected with a virus as a computer. A common reason why routers get infected is that the owner forgot to change the default administrator password.

How Can a Router Get a Virus?

A router can get a virus if hackers can get through the initial login screen and modify the router settings. In some cases, viruses can modify the embedded firmware that controls the router software.

You don't need to toss out an infected router—repair and then protect that device from further infections in the future.

Two common router viruses that have infected thousands of routers in the past include the Switcher Trojan and VPNFilter.

How the Switcher Trojan Infects Routers

The Switcher Trojan infects an Android smartphone through an app or by a click-through on a phishing email. After that infected Android phone connects to any Wi-Fi network:

  • The Trojan communicates with a central server to report the name of that network's identification.
  • It then attempts to log in to the router using the router brand's default administrator password, as well as testing other passwords.
  • If it logs in, the Trojan modifies the default DNS server addresses to a DNS server under the virus maker's control.
  • The alternative DNS server redirects all internet traffic from that Wi-Fi network through the new servers, which attempt to strip sensitive information like bank account and credit card details, login credentials, and more.
  • Sometimes the fake DNS servers return an alternate website (like Paypal or your bank website) to scrape your login details.

A regular DNS server converts the URL you type into a web browser (like google.com) into an IP address. Switcher IP modifies the router's correct DNS settings (for your internet provider's DNS servers) to the hacker's DNS servers. The compromised DNS servers then provide the browser with incorrect IP addresses for the websites you visit.

How VPNFilter Infects Routers

VPNFilter infects home Wi-Fi routers in the same way Switcher Trojan does. Usually, a device connecting to the Wi-Fi network is infected, and that software penetrates the home router. This infection happens in three stages.

  • Stage 1: A malware loader infects the router firmware. This code installs additional malware onto the router.
  • Stage 2: The stage-one code installs additional code that resides on the router and performs actions like collecting files and data from devices connected to the network. It also attempts to run commands remotely on those devices.
  • Stage 3: The stage-two malware installs additional malicious plug-ins that do things like monitor network traffic to capture sensitive user information. Another add-on is called Ssler, which converts secure HTTPS web traffic (like when you log in to your bank account) into insecure HTTP traffic so that hackers can extract your login credentials or account information.

Unlike most router viruses that get wiped when you reboot a router, the VPNfilter code stays embedded into the firmware after a reboot. The only way to clean the virus from a router is to perform a full factory reset following the manufacturer's factory-reset instructions.

There are additional router viruses on the internet, and all follow the same tactic. These viruses first infect a device. When that device connects to a Wi-Fi network, the virus attempts to log in to the router using the default password or by checking for a poorly created password.

Does My Router Have a Virus?

If the following behaviors are happening on your network, there's a chance your router could be infected.

  1. When you visit websites that should be secure (like Paypal or your bank), but you don't see the lock icon in the URL field, you might be infected. Every financial institution uses the secure HTTPS protocol. If you don't see the lock icon, then your movements on that website aren't encrypted and could be viewed by hackers.

    The location of the lock icon on a web browser address bar.
  2. Over time, malware can consume the computer CPU and slow down performance. Malware running on either the computer or on the router can cause this behavior. Combined with the other behaviors listed may mean that the router is infected.

    High CPU on a computer
  3. If, after scanning and cleaning the computer of malware and viruses, you still see ransomware pop-up windows demanding payment or your files will be destroyed, it's a good indication that the router is infected.

    Example of a ransomware pop-up window
    AndreyPopov / Getty Images
  4. When you visit normal websites but are redirected to strange websites that you don't recognize, it could indicate that your router is infected. Sometimes those sites may be spoofed sites that look similar to the real site.

    A fake bank website

    If you're redirected to sites that don't look right, never click any links or enter your account login details. Instead, go through the steps to determine if a virus is causing the behavior.

  5. If you click Google search links and end up on an unexpected web page that doesn't look right, it could be another sign that the router is infected with malware.

    Clicking on Google search results

How to Fix an Infected Router

To check if your router is infected, run a scan using available online tools. There are many of these available, but choose one that comes from a known and trusted source. One example is F-Secure, which scans the router and determines if a virus has hacked the router's DNS settings.

Router scan results from F-Secure

If your router is clean, you'll see a message with a green background indicating that it's clean.

Another example is the Symantec scan that checks specifically for the VPNFilter Trojan. To run the scan, select the check box to indicate that you agree to the terms, and then select Run VPNFilter Check.

The Symantec VPNfilter scan

Always read the Terms of Service and Privacy Agreement. Occasionally, one tries to be sneaky about how it collects and uses personal data.

If any scans indicate that your router is infected, take the following steps:

  1. Reset the router. In many cases, rebooting the router won't thoroughly clean it of a virus infection. Instead, perform a full router reset. This process usually requires inserting a sharp object like a pin into a small hole and pressing the button for several seconds. Check the manufacturer's website for factory reset instructions.

    A full factory reset clears all settings from the router. You'll have to reconfigure all of the settings again, so only perform a factory reset if you're confident a virus or a Trojan infected the router.

  2. Update the firmware. If your ISP provided the router, chances are the ISP automatically pushes firmware updates to the router. If you own the router, visit the manufacturer website to search for and download the latest firmware update for your router model. This process ensures the router has the latest patches to guard against the latest viruses.

  3. Change the administrator password. To prevent any viruses or Trojans from reinfecting the router, immediately change the administrator password to something more complex. A good password is your best defense against an infected router.

    Changing a Netgear router password
  4. After you clear the virus, run a full antivirus scan on all devices that connect to the infected router.