As iTWire reported on Thursday, the FBI said it had taken control of a domain that served as the primary command and control centre for the malware, thus making it possible for owners of infected devices to reboot and prevent the second and third-stage of the malware being loaded. Initial reports from Cisco's Talos Intelligence Group said half-a-million devices were infected by the malware.
Netgear said users should also ensure they had changed the default passwords on their devices and also ensure that remote management was turned off.
The devices come with remote management turned off and can only be turned on in the advanced settings.
Among the Netgear devices attacked were
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
Linksys has advised customers to change administration passwords periodically and ensure software is regularly updated. The company recommended a factory reset of a route if there was a suspicion that it had been infected. Three Linksys devices, the E1200, E2500 and WRVS4400N, were found to be among infected devices.
Another router manufacturer, MikroTik, said it was sure that any infected devices would have a vulnerability in MikroTik RouterOS software, which was patched in March 2017. It said upgrading RouterOS software would delete VPNFilter, any other third-party files and patched the vulnerability. Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072 were found to be affected.
Commenting on the incident, Eric Trexler, vice-president, Global Governments and Critical Infrastructure at security firm Forcepoint, said: "While determining attribution and intention are both hard, the evidence provided does look pretty convincing that something potentially very unpleasant is happening.
"I would deal with this today, not tomorrow, if I were running any of the impacted devices. A factory reset of certain routers - not every router you own - is a commonsense approach to risk management."
Forcepoint is a subsidiary of giant US defence contractor Raytheon.
Trexler added: "In the absence of good indicators of compromise that customers can use, getting on to the latest patched level is critical. If a particular device has been identified as vulnerable, I think the reset approach sounds like a reasonable response.
"However, that advice could change pretty quickly, so it's going to require defenders to watch what could be a rapidly evolving threat environment and change with it.
"Another consideration is the link back to SCADA and Modbus, which is particularly worrisome. The Modbus SCADA protocol has been used in millions of critical and industrial devices globally since 1979. The need for separation of IT/OT networks is critical to cyber resiliency.
"When any device is susceptible to compromise, the only effective way to combat the latest attacks is through network segregation. No longer can we afford to keep our critical infrastructure connected to and therefore directly accessible to the Internet.
"VPNFilter proves that time-tested military techniques such as network segregation not only makes sense, but is required if we expect industrial services to remain resilient in the face of sophisticated and persistent attacks."