Can A Router Get A Virus?

Your router is vulnerable to viruses, but you can protect yourself

Image of a wireless router

 deepblue4you\Getty Images

If you have a router, one question you may have is "can a router get a virus?" And the answer is yes, it can. Many people don't realize that a router is just as vulnerable to being infected with a virus as regular computers are. The most common reason routers get infected is because the owners forget to change the default administrator password.

How Can a Router Get a Virus?

A router can get a virus if hackers are able to get through the initial login screen and modify router settings. In some cases, viruses can even modify the embedded firmware the controls the router software itself.

Fortunately, you don't need to toss out an infected router. There are ways you can repair and then protect that infected router from further infections in the future.

Two major examples of router viruses that have infected thousands of routers in the past include the Switcher Trojan and VPNFilter.

How the Switcher Trojan Infects Routers

The Switcher Trojan starts out by infecting an Android smartphone, via a malicious app or if the user clicked on a hacker's phishing email. Once that infected Android phone connects to any Wi-Fi network:

  • The Trojan communicates with the hackers' central server to report the name of that network's identification.
  • It then attempts to log into the router using the router brand's default administrator password, as well as testing other passwords.
  • Once logged in, the Trojan modifies the default DNS server addresses to a malicious DNS server.
  • The malicious DNS server redirects all internet traffic from that Wi-Fi network through the hackers' servers, which attempt to strip sensitive information like bank account and credit card details, login credentials, and more.
  • Sometimes the fake DNS servers will return an alternate website (like Paypal or your bank website), so they can collect your login details.

A regular DNS server converts the URL you type into your web browser (like "google.com") into an IP address. Switcher IP modifies your routers correct DNS settings (for your own internet provider's DNS servers) to the hacker's DNS servers instead. Hackers then provide your browser with incorrect IP addresses for the websites you visit.

How VPNFilter Infects Routers

VPNFilter infects home Wi-Fi routers in the same way Switcher Trojan does. Usually a device connecting to the Wi-Fi network is infected, and that malicious software hacks into the home router. This infection happens in three stages.

  • Stage 1: A "malware loader" infects the router's firmware. This code works to reach out over the internet and install additional malware onto the router.
  • Stage 2: The stage 1 code installs additional code that resides on the router and performs actions like collecting files and data from devices connected to the network. It will also attempt to remotely run commands on those devices.
  • Stage 3: The stage 2 malware installs additional malicious plug-ins that do things like monitor network traffic to capture sensitive user information. Another add-on is called Ssler, which converts secure https web traffic (like when you log into your bank account), into insecure http traffic so that hackers can extract your login credentials or account information.

Unlike most router viruses that get wiped when you reboot your router, the VPNfilter code stays embedded into the firmware even after a reboot. The only way to clean the virus from your router is to perform a full factory reset following the manufacturer's factor reset instructions.

There are additional router viruses on the internet, but they all follow the same tactic. They first infect a device. When that device connects to your Wi-Fi network, the virus attempts to log into your router using either the default password, or checking for a poorly created password.

Does My Router Have a Virus?

If the following behaviors are happening on your network, there's a chance your router could be infected.

  1. If, when you visit websites that should be secure (like Paypal or your bank), you don't see the lock icon in the URL field you might be infected. Every financial institution uses secure HTTPS protocol. If you don't see the lock icon, then your movements on that website aren't encrypted and could be viewed by hackers.

    The location of the lock icon on a web browser address bar.
  2. Over time, malware can consume your computer CPU and slow down performance significantly. Malware running on either your computer or on your router can cause this behavior, but combined with all the other behaviors listed it may mean that your router is the device that's infected.

    Screenshot of high CPU on a computer
  3. If, even after scanning and cleaning your computer of malware and viruses, you're still seeing ransomware pop-up windows demanding payment or your files will be destroyed, it's a pretty good indication that your router is infected.

    Image example of a ransomware pop-up window
      AndreyPopov\Getty Images
  4. When visiting regular websites, and you notice that you're sometimes redirected to strange websites that you don't recognize, it could indicate your router is infected. Sometimes those sites may be spoofed sites that look very similar, but exactly the same as the real site.

    Screenshot example of a fake bank website

    If you do notice that you're redirected to any sites that don't look right, never click any links or type in your account login details. Instead, go through the steps to determine if a virus is causing the unusual behavior.

  5. If you click on Google search links, and end up on an unexpected web page that doesn't look right, it could be another sign that your router is infected with some kind of malware. This is another symptom that a router virus may be redirecting your internet traffic through hacker DNS servers.

    Screenshot of clicking on Google search results

How to Fix an Infected Router

An easy way to check if your router is infected is to run a scan using available online tools. There are many of these available, but you choose to use one, select one that comes from a known and trusted source.

One example is F-Secure, which will scan your router and determine if a virus has hacked your router's DNS settings.

Screenshot of router scan results from F-Secure

If your router is clean, you'll see a message with a green background indicating that it's clean.

Another example is Symantec's scan that checks specifically for the VPNFilter Trojan. To run the scan, just select the checkbox indicating that you agree to the terms, and then select Run VPNFilter Check.

Screenshot of the Symantec VPNfilter scan

Always read the Terms of Service and Privacy Agreement before you agree to them. Most companies are on the up-and-up about these matters, but occasionally you'll find one that tries to be sneaky about how it can collect and use your personal data.

A message will appear to the right of the green button indicating whether or not your router has signs of the VPNFilter Trojan.

If any scans indicate that your router is infected, take the following steps immediately.

  1. Reset the router. In many cases, simply rebooting the router won't fully clean it of a virus infection. Instead, perform a full router reset. This usually requires inserting a sharp object like a pin into a small hole and holding the button down for several seconds. Check your manufacturer's website for factory reset instructions.

    Image of a router reset button
     JaysonPhotography\Getty Images

    A full factory reset will clear all settings from the router. This means you'll have to reconfigure all of the settings again, so only perform a factory reset if you're absolutely certain the router has been infected by a virus or a Trojan.

  2. Update the firmware. If your router was provided by your ISP, the chances are that the ISP automatically pushes firmware updates to your router. If you own the router, you can visit the manufacturer website to search for and download the latest firmware update for your router model. This will ensure the router has the latest patches to guard against the latest viruses.

    Image of a wireless router
     Grassetto\Getty Images
  3. Change the administrator password. To prevent any viruses or Trojans from reinfecting the router, immediately change the administrator password to one that is as complex as possible. This is your ultimate defense against an infected router, so make sure the password is strong.

    Screenshot of changing a Netgear router password
  4. Once you're finished clearing your router of the virus, make sure to go on every device you had connected to your network when the router was infected and run a full antivirus scan. If you don't have antivirus installed on your computer or smartphone, make sure to install one.

It's important to scan your devices before you reconnect them to your network in case a device is infected and tries to reinfect your router. That's why keeping an active antivirus software on your devices at all times it advisable.