Malware Alerts
Learn about malware alerts and what you can do to resolve them.
What is malware and how does it occur?
Malware is a type of malicious software, designed to infect your device to manipulate or damage it. Malware can also record or steal information like bank details or account logins.
Usually, malware is installed accidentally. Malicious software can be hidden in other seemingly harmless software and downloads, such as torrents, apps or screensavers. That's why you should always avoid downloading content from unknown or untrustworthy sources.
Visit our online security blog to learn more about malware and what you can do to avoid it.
What is a malware alert?
If we suspect that one of your devices has become infected with malware, we'll send you a letter or email alert giving an overview of the issue and advice on what to do next.
Because your financial transactions and personal data could be at risk, it's vital that you follow the advice as soon as possible.
Types of malware alerts
There are a number of different types of malware out there that can infect your devices in different ways. You can learn more about these below.
QSnatch is a form of malware that’s specifically designed to target QNAP Network Attached Storage (NAS) Devices.
Flashback is a form of Trojan that specifically targets the macOS operating system. The Flashback malware is designed to steal personal and financial information from infected devices.
Flubot is a type of malware mainly affecting Android devices. It’s usually distributed by an SMS message notifying a user of a false ‘missed package delivery’. In the message, there’ll be a link to an app – this is in fact a tracking app designed to steals passwords and sensitive data. Once installed on your device, the malware will also access your contact details and send further text messages, attempting to infect your friends and family.
Apple users can also be affected; instead, the text messages will direct them to a site that can take their personal information.
If you receive this message, we ask that you flag it as spam. That way, we can better help protect all our customers on the Virgin Media network. To do this, simply forward the message to 7726. Remember, do not click the link.
Ghost Push is a form of Trojan that specifically targets the Android operating system. The malware is mainly distributed through applications downloaded from untrusted third parties, but can also be hidden in applications downloaded from official markets such as Google Play.
VPNFilter is a form of malware that specifically targets networking equipment running on a home network, such as internet routers and Network Attached Storage (NAS) devices.
Mirai is a form of malware that targets Internet-connected appliances that are connected to your network. These include CCTV systems, smart TVs, smart plugs, NAS (Network Attatchd Storage) drives and other so-called ‘Internet of Things’ devices.
The Mirai malware targets devices that use the Telnet remote access protocol and still use the default username and password set by its manufacturer. These default credentials are often widely available on the Internet, which can allow third parties to remotely access the device and install malware on it.
If you have received one of these alerts, it means we believe a device in your home has been infected with malware that’s sending malicious traffic to other computer systems, and could be trying to access them without authorisation.
We realise this is unlikely to be your fault, but this kind of abuse is against our Acceptable Use Policy. If the abuse continues, we might have to suspend or cancel your broadband service. It is therefore important that you follow the advice provided.
If you’ve received one of these alerts, then it looks like you have an Open Proxy server running on your internet connection. You're probably not aware that your Internet connection is allowing external traffic to pass through it, which means a device on your home network may be infected with malware or you may have misconfigured remote access software installed.
If you have configured a device on your network to act as a proxy server, you should do the following:
Setup authentication on your proxy server
If you require access to your proxy server from devices outside of your home network, it is essential that your server is configured to require authentication from anyone who attempts to connect to it. This will mean only users with the correct login credentials for your proxy server will be able to use it.
Most proxy servers programs will allow authentication to be configured in the software’s control panel or configuration file. For instructions specific to the proxy software running on your server, please refer the application’s official user documentation.
Block external proxy access if you do not require it
If you do not require access to your proxy server from outside your home network, we recommend you block the ports your proxy server software uses in your router’s firewall.
Common ports used by proxy servers include TCP & UDP ports 8080, 9040, 9050, 3128.
If you are unsure what port(s) your proxy server is configured to use, please refer to your server’s proxy configuration file or the server software’s manual.
Remove malware
If you didn’t configure a device on your network to act as a proxy server, you should check it for malware.
How to remove malware
There are a number of things you can do to remove malware from your device, and to protect yourself from its harmful effects too.
The easiest way to check your device has been infected is using a virus scanner. There are plenty of internet security packages to choose from, some that are paid for and some that are free. We even have our own security package, available to all Virgin Media customers.
Find out more about Virgin Media Internet Security.
If you are using an Android or iOS device, you’ll be able to find a variety of virus scanners in your device’s app store.
If you have an existing security package installed, check out the instructions to learn how to remove infections from your device.
If you don't have an existing security package, sign in to your My Virgin Media account and register for the Virgin Media Internet Security. You’ll get a free 3-month trial, and we don’t need any bank or credit card details up front.
When you’ve downloaded and installed the software, you can immediately run a scan of your device.
If you’ve already installed Virgin Media Internet Security, just make sure "Viruses and spyware scanning" is turned on.
When you’ve removed the malware, you’ll need to change the passwords for all your online and email accounts.
If any of your passwords were obtained by a malicious third party as a result of the malware infection, it’s highly likely they’ve attempted or will attempt to use the same passwords across as many websites and online services as possible to try gain access to your accounts.
When changing your passwords, it is important that you use different passwords for all your online accounts and pick strong passwords that are difficult to guess.
It’s important to keep your operating system and application software up to date. Installing software patches will mean attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it.
Essential Security is our standard cyber security product that keeps you and your family safe online by protecting any device connected to your home broadband network.
Built-in and ready to go, Essential Security is always turned ‘On’ by default, automatically providing anti-virus protection at no extra cost.
Provide us with an up-to-date contact email address so we can let you know of any significant issues that may affect your Virgin Media service. To update your contact email address, simply sign in to your My Virgin Media account and select My Profile.
Check your mail forwarding rules to make sure your emails aren’t being forwarded without your knowledge.
To do this in Virgin Media Mail webmail:
Sign in to your Virgin Media Mail account
Click the System Menu icon on the right side of the menu bar
Click the Settings menu item
Select the Auto Forward tab
This will display the email addresses set to receive forwarded emails from your Virgin Media mailbox. If there is an email address you don’t recognise, then select it and delete the forwarding rule.
First, try using an anti-virus app. You can download these from your operating system’s app store.
If your anti-virus app hasn’t cleared the malware, you’ll need to perform a full factory reset on your device. Check out your manufacturers guide for help doing this.
If a complete factory reset doesn’t completely remove the infection, you’ll need to re-flash the firmware on your device and install a clean version of the operating system. This is a complex process, and we recommend taking your device to a certified engineer.
Since this type of malware only affects QNAP devices, we recommend you follow the advice provided by QNAP. Check out the steps to remove malware from your QNAP device.
If you need further help with this type of malware, contact QNAP support.
To successfully remove the malware from the router, you’ll need to perform a full factory reset. Most routers will allow you to do this through the same configuration page that you may use to change your wireless password and network name.
For specific instructions on how to do this, please refer to the manual that came with your router or contact the manufacturer. Please note that this action will remove any custom data or settings from the device.
You should also perform all the above actions on any device or accounts that were connected to the infected router.
To secure Telnet access on your devices, do the following:
Change default passwords
Internet-connected appliances often utilise a default username and password that the manufacturer has set for the Telnet service. These are often the same across hundreds if not thousands of devices from that manufacturer.
Changing the password to your own custom password will protect your device from being targeted by Mirai in the future, as the malware uses a list of common device passwords to connect to your device through Telnet.
Make sure to disconnect the device from the Internet before changing the passwords. Steps on how to change the Telnet password used by any Internet-connected appliances on your home network vary between devices and manufacturers. Consult the documentation that came with your device for details on how to do this.
Disable Telnet access if it isn’t required
If you do not need the Telnet service to be used by systems outside of your home network, it is highly recommended that you block it so only devices within your home can use it.
The Telnet service does not use encryption, meaning any passwords you send between devices using Telnet are sent across in plain text – this poses a security risk.
Only action this step if you are certain you do not need the Telnet service to be accessible from outside your home network.
To close the port used by Telnet on the Virgin Media Hub 3:
Access your Hub's configuration page - default web address: 192.168.0.1
Login with your username and password, default will be shown on the Hub itself
Select Security on the left side of the page
Select the Port Forwarding option
Remove any rules that will keep port 23 open
Select the Port Triggering option
Remove any rules that will keep port 23 open
To close the port used by Telnet on Super Hub 1 or 2s firewall:
Access your Hub's configuration page - default web address: 192.168.0.1
Login with your username and password, default will be shown on the Hub itself
Select Advanced Settings and accept the prompt
Scroll down to the Security section
Select the Port Forwarding option
Tick the Delete box next to any rules that will keep port 23 open
Click the Apply option
Select the Port Triggering option
Tick the Delete box next to any rules that will keep port 23 open
Click the Apply option
To close the port used by Telnet on third-party routers:
If you use a 3rd party router in conjunction with the Hub 3 or Super Hub 1, 2 or 2ac, your router's firewall will need to be configured to ensure port 23 is not accessible outside of your local network - this can be performed by blocking the port or removing any Port Forwarding rules for that port. To identify how to do this with your particular router, refer to the documentation for your device or refer to the manufacturer's website.
Remove the Mirai infection
When the Telnet service has been secured using the solutions above, the next step is to remove the Mirai infection from your device.
To do this:
Disconnect the device from the network
While disconnected from the network, perform a reboot. The Mirai malware exists in dynamic memory so rebooting the device will clear the malware
You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly re-infected with the Mirai malware
If you have followed the steps above but continue to get notifications regarding this security issue, please follow the below steps:
Firewall - It is important to check all your devices sit behind a firewall. In most cases your firewall is configured as a part of your router, this is the case with the Hub 3 or Virgin Media Super Hub. If you have specifically disabled the Firewall in your router, it is crucial that you configure your devices to sit behind a firewall that is blocking port 23. If this does not apply to you, please proceed to the next step.
Modem Mode - If you are using your Hub 3 or Super Hub 1, 2 or 2ac in Modem Only mode, it is essential that you are using a firewall on any device or router that is plugged directly into the Hub. When in Modem Only mode, your Hub does not operate with a firewall. If this does not apply to you, please proceed to the next step.
DMZ - Most firewalls, including the one provided with the Hub 3 and Super Hub 1, 2 or 2ac include a DMZ option. This feature allows for a device using a specific local IP address on your home network (e.g. 192.168.0.2) to bypass your Firewall settings. This is occasionally necessary if you are using a device that has its own firewall configured. If you have a device configured in your firewall's DMZ that does not use its own firewall, it is crucial that you disable this option immediately. Computers operating without a firewall are extremely vulnerable to attack as all ports are essentially exposed to the wider Internet.
To check if a device is configured in the DMZ on your Hub 3:
Access your Hub's configuration page - default web address: 192.168.0.1
Login with your username and password, default will be shown on the Hub itself
Select Security on the left side of the page
Select the DMZ option
To remove a device from the DMZ, tick the Disable box
To check if a device is configured in the DMZ on your Virgin Media Super Hub 1, 2 or 2ac
Access your Hub's configuration page - default web address: 192.168.0.1
Login with your username and password, default will be shown on the Hub itself
Select Advanced Settings
Select DMZ
To remove a device from the DMZ, uncheck the tick box at the top of the page