Is it possible to be sure a previously compromised router is safe to use again?


For the past two weeks, I've been dealing with a computer nightmare. On my primary PC, MalwareBytes reported something on my computer called "spyware.password". I immediately began trying to remove it. After discovering that it kept reappearing every time I removed it (within 10 minutes of originally discovering it), I disconnected my internet adapter. Over the next week as I tried to remove infections, every time I reconnected to the internet, infections would appear again. I could remove them easily enough if I was not connected to the internet, but the second I connected again, they would begin appearing again. Researching the infections that were being reported turned up that these infections were not the kind you get by going to a bad website/opening the wrong email/doing anything at all, but were actually planted on my computer directly through a security loophole of some sort. I reinstalled Windows, wiped two of my three hard drives, and temporarily installed a different router with a new SSID and all new security information. Finally, I was able to be online without downloading a virus every 2 seconds.

Some background on how this relates to my router: a few weeks before this happened, I logged into my router admin and saw that a firmware upgrade was available. I installed the upgrade. Immediately, we began having internet problems. The network connection would stay connected, but every few hours, every device in the house would not be able to make new connections to the internet. Existing connections were fine. For example, if Skype was active while the disconnect happened, I could still keep talking to people on Skype, but couldn't browse anywhere in Chrome. Lacking a hardwire, I finally just downgraded the firmware back to the old version over wifi a week later (which fixed the problem).

Everything I was able to turn up on this malware attack makes it look like a hacking attempt. Both kinds of malware that were detected turned up results saying that they were designed to steal passwords and send them to a remote computer. Both sets of malware are contracted not by doing anything, but just by having them placed on your computer. Both sets of malware are able to be controlled remotely by a human. I suspect that there was a major security hole somewhere between our ISP and my computer, and that it may very well have been the router.

I don't like the temporary router we're using, and would like to go back to the old model of router we were using, but I'm afraid that the security flaw may lie in the router. Rather than replace that router with another one of the same make and model (which seems wasteful), I would love to be able to be sure that that router is either a) not where the attack got through, or b) secure again.

Once a router is somehow compromised, is there any way to be sure you can trust it again?

router manufacturer: Netgear

router model: Wireless-N 300 WNR2000 v2


Posted 2012-10-05T20:16:02.643

Reputation: 187



In all my experince of computing, I will not say it is impossible, but, I would say it is very unlikely (as long as the update was official/came from Netgear), I think the most likely cause is that you simply have a dodgy/bad firmware update on your router - check to see if there is a new release.

When my router goes bad, I notice very similar things and a reboot usually fixes it (also a Netgear - happens about once every 3 weeks).

As for the actual malware, again, very bad timing, but, I doubt it is related.

William Hilsum

Posted 2012-10-05T20:16:02.643

Reputation: 111 572

I downloaded the firmware upgrade through the router's admin area, and then the downgrade directly from the Netgear support site. The only ways I can imagine the post-downgrade firmware to have been a false version would have been either a hacking of the Netgear website, or some kind of very specific and timely man in the middle attack on my connection/PC. I do see it as being possible that the downgrade missed something or applied badly, perhaps leaving room for someone to mess with it. – CodeJunkie – 2012-10-05T20:32:15.930


Adding to what William Hilsum said.

Most security holes these days are in Web Browsers, like IE, Firefox or Chrome, running the latest browser and applying updates as soon as they come out is the best protection. A serious security hole in a browser can infect a system just by visiting an infected website, no user action required other than going to to an infected website, and you will never know which site is infected, so run a modern browser and keep it patched.


Posted 2012-10-05T20:16:02.643

Reputation: 54 203

Your second comment here kind of answers itself. Flash and Java are the most exploited catalysts for infection. I've seen first hand extremely mainstream sites get their ad-networks compromised. I use AdBlock myself. AdBlock doesn't actually block every advertisement. They maintain some kind of whitelist that advertisers have to get into. And if one of those whitelisted advertisers gets compromised, all bets are off. – Residualfail – 2016-12-27T16:34:39.317

While it's possible that browsing was the source of the virus/attack, I run a kind of paranoid level of security. I only use Chrome (which generally updates itself), I use the NotScript extension and am very cautious about allowing JavaScript, I run Ad Block in Chrome, and I run MalwareBytes paid version, and Bit Defender Total Internet Security. I run so much security when browsing that it restricts my actual computer use a little. It's possible that the attack still got through that way, but I like to hope that that much security is enough. – CodeJunkie – 2012-10-05T20:37:23.583

1Adding to my previous comment, I had used Google Image Search a few days before this began. A large percentage of the viruses I've gotten over the years have happened that way. I guess it's possible that a page in the results used Flash or Java to install the virus, or even that somehow they hijacked a domain that I had allowed to run JavaScript. – CodeJunkie – 2012-10-05T20:39:09.837