Hurry and turn off your router... Thousands of routers are being hacked by malware that persists even after rebooting the device.
Thousands of routers are being used without the owners' knowledge as part of a network designed to facilitate cybercrime activities.
Lumin Technologies discovered a botnet of 14,000 routers and networking devices, primarily from Asus, acting as nodes in an anonymous proxy network.
The malware responsible, dubbed KadNap, infected devices by exploiting security vulnerabilities that their owners had not updated.
According to researcher Chris Formosa of Lumin's Black Lotus Labs cybersecurity research lab, the large number of compromised Asus routers is likely due to botnet operators discovering an effective security vulnerability in these models.
Researchers first detected this network in August of last year, when it had approximately 10,000 compromised devices. Since then, the network has continued to expand, currently affecting 14,000 infected routers.
Most of the affected devices are located in the United States, although compromised devices have also been identified in countries such as Taiwan, Hong Kong, and Russia.
One of the most distinctive features of the KadNap malware is its architecture. It uses a peer-to-peer design based on Kademlia technology, which employs distributed hash tables to mask the IP addresses of the servers controlling the network.
This system makes detecting and dismantling botnets more difficult using traditional methods. Distributed hash tables have long been used to create networks resistant to hacking or blocking attempts.
The compromised devices are used to transmit data within Doppelganger, a paid proxy service that routes its clients' connections through real home connections.
Thanks to the good reputation of these IP addresses and their bandwidth, the system allows anonymous web browsing and access to pages that might otherwise be restricted.
For users who suspect their router is infected, researchers advise checking the device's logs for signs of infection. If infection is confirmed, the only way to remove the malware is a factory reset, as a simple restart is insufficient to remove the script that reactivates the infection.