Be aware that it's not all that bad. The article is a little scarier than the truth. There was one particular off-name brand of router that was wide open. Most other models are not unless they have WAN side management (ability to log into the control panel from outside the LAN) enabled which should never be enabled and is disabled by default on most routers.
The most important thing you can do (even before this) is change the default admin passwords on your routers and router/modems to a STONG (random) password. There have long been viruses that will log into your router's control panel in order to open ports. This attack unlike the router worm is FROM THE LAN SIDE from an infected PC on your home network using the factory default password and a dictionary attack.
Other things you can do to secure your outer:
- Upgrade to the latest firmware. Firmware is being updated all the time, mostly to address security issues.
- Make sure uPnP is disabled (this is another seriously bad idea that causes a security hole). Unfortunately many routers enable this by default.
- Make sure DMZ is not enabled (DMZ puts a computer right on the internet bypassing the NAT router which should only be used in very specialized situations and if you use it you need a software firewall - port forwarding is a better solution). DMZ is always disabled by default.
- If you think your router might be infected, or just want to play safe, power it down then back on again. This will flush the worm. The worm does NOT install itself in the firmware ROM (this would be impossible without performing a firmware flash). It installs itself in RAM and power cycling the router will clear the RAM.
From the DD-WRT Blog (I use their open source firmware on my Linksys WRT54G router):
As described in the Drone BL Blog the worm works with a brute force attack using dictonary based random passwords - there is nothing we could technically do to prevent that in general. To succeed the worm requires a router whith management access enabled at the WAN port (Web / SSH / Telnet) at the standard(!) TCP/IP ports for the services and a weak administrator password.
To nullify the possiblity to get your router infected by the worm (or to be attacked with a similar mechanism) you can take the following precautions:
* only enable admin access (Administration > Management > Remote Access) at the WAN port when required (most users don't need this and it's disabled by default)
* if you need administration access via the WAN port
o only use services with encrypted password transmission (HTTPS /SSH)
o chose a non-dictionary based secure password
o change the TCP/IP-ports to non-default ports
If a router got infected you cannot access the router anymore via Web or Telnet (SSH only if you did enable it once). As far as we know the worm does not yet install itself resistant so rebooting the router and checking if you can access it again is a first step. After you can access it again please disable WAN access or take the above mentioned precautions. If WAN access is not enabled your router was not infected and the non-accessability had another reason. The last option is resetting the router to factory defaults. Because the WAN port is disabled by default, your router then cannot get infected anymore.