A few short years ago, hackers deployed a botnet to make use of over a million compromised routers. Attackers could then intercept internet traffic, spy on individuals, or render devices entirely inoperable. Wondering about how to check your router for malware? Get insights in the following article.

Key facts: Why worry about router attacks?

Router attackers allow hackers to:

  • Gain unauthorized access
  • Engage in Denial of Service attacks
  • Test out Routing Table Poisoning
  • Launch persistent attacks

And more.

The relative insecurity of routers

The home router market resembles the Android smartphone market. Manufacturers are continually producing devices, but commonly forgo updates. In other words, many routers are open to cyber threats.

Attackers often attempt to alter the DNS server settings on routers. They point it at a malicious DNS server. When a person then tries to connect to a website, the DNS server reroutes to a phishing site instead. For example, an individual who wishes to access a banking website might see the correct URL in the address bar, but will instead land on a phishing domain.

Malicious DNS servers do not necessarily respond to all queries. Rather, the server might time out on the majority of requests. Subsequently, a user may be redirected via the ISP’s default DNS server. Slow DNS requests indicate a possible router infection.

Hiding in plain sight

Some people may notice a phishing site’s lack of HTTPS encryption. However, this detail will slip past many. SSL-stripping attacks can even remove the encryption in transit. Further, many router attacks leverage cross-site request forgery (CSFR) attacks. An attacker places malicious JavaScript onto a web page. Then, the JavaScript tries to load the router’s web-based administration page, altering settings. As the JavaScript operates on a device inside of the local network, the code can access the web interface that only remains available within your network.

Routers may have remote administration interfaces activated in addition to usernames and passwords. Bots can scan for these routers on the Internet. Other attack types exploit other router issues. For example, UPnP seems to be vulnerable on numerous routers.

Check router for malware

A key indicator of router compromise is that the DNS server has been changed. Visit your router’s web-based interface and look at the DNS server setting. To do that, you’ll need to access your router’s web-based setup page. Check the network connection’s gateway address or review your router’s documentation to find out how to do so.

Sign in with your router’s username and password, if needed. Search for a “DNS” setting. It’s often in the WAN or internet connection settings screen. If set to “Automatic” that is generally ok. If the router appears set to “manual” that could be a problem. Although it’s no problem if you’ve configured your router in such a way as to use good alternative DNS servers – for example, and for Google DNS or and for OpenDNS. However, if there are DNS servers there you don’t recognize, that indicates the potential presence of malware.

If any doubt, perform a web search for the DNS server addresses and see whether they’re legitimate or not. Something such as “” is fine. Often, it simply conveys that the field is empty and the router is automatically getting a DNS server instead.

You may want to check your router settings periodically in order to evaluate the probability of compromise.

Check router for malware: Keeping routers safe 

Now that you know about how to check your router for malware, ensure that your router continues to stay safe.

Remain aware of threats.

Stop seeing routers as a part of the furniture. Start seeing routers as potential threat vectors.

Change the default admin credentials.

Ensure that you have changed the router password since pulling it out of the box. Well-known algorithms are used to generate default passwords, making the devices susceptible to attacks.

Upgrade router firmware.

This fixes any known vulnerabilities within the router.

Always logout.

When finished using your router’s administrative page, logout in order to avoid session hijacking.

Set router DNS servers to automatic mode.

(Or DHCP) or an otherwise static value that you manually determine according to your ISP.

Consider disabling remote access.

Depending on what and whom the router supports, you may want to consider disabling remote access to the router’s web-based administration pages.

Router security isn’t tough. Most of us just need to take the time for it. For of the latest router security insights, please see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.