Menu
What's new
By:
Filters Better Search

News A wide range of routers are under attack by new, unusually sophisticated malware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

All indications are that the current implementation is targeting MIPS little endian devices...

Not to say that can't/won't change...
 
sfx2000 said:
All indications are that the current implementation is targeting MIPS little endian devices...

Not to say that can't/won't change...
Click to expand...
Yes thankfully it sound like they are using old/known exploits and nothing new…for now.
 
Oracle said:
How can users tell if they have a (vulnerable) MIPS router?
Click to expand...
The conclusions that the authors have come to is based on very thin information. They admit this themselves. They only analysed a sample infection from one model of an obscure Chinese router. That router happened to have a MIPS processor. Some of their following statements were assumptions based on observed connections to certain servers. They also contradict themselves by saying that they think they observed infected RT-AC68U routers (based on connections from less than 23 devices), which do not have MIPS processors.

blog.lumen.com

ZuoRAT Hijacks SOHO Routers to Silently Stalk Networks - Lumen

Executive Summary The rapid shift to remote work in spring of 2020 presented a fresh opportunity for threat actors to subvert traditional defense-in-depth protections by targeting the weakest points of the new network perimeter -- devices which are routinely purchased by consumers but rarely...
blog.lumen.com blog.lumen.com

I think the only real way to know if your router is infected is to look at the running processes for anything that shouldn't be there. Given that the Chinese router they analysed was compromised via an old vulnerability it seems less likely that routers with up to date firmware would be susceptible.
 
Monitoring all processes on the router in order to distinguish what should and shouldn't be there is practically impossible for me. Is there any diagnostic script that we could build for this? Like make a list of known "good" processes and compare against it?
 

ASUS Product Security Advisory | ASUS Global

www.asus.com www.asus.com

06/30/2022 Security advisory for ZuoRAT
ZuoRAT is a MIPS file however RT-AC5300, RT-AC68U, RT-AC68P, RT-AC1900P, RT-AC1900 are ARM–based routers. MIPS program cannot run on ARM–based processor.
ASUS strongly recommends that users update the firmware to the latest version which included more security measures to block malware.
To check the latest version, please visit the relevant ASUS support website. Download links are in the below table.
Model nameFirmware download path
RT-AC5300https://www.asus.com/supportonly/RT-AC5300/HelpDesk_BIOS/
RT-AC68Uhttps://www.asus.com/supportonly/RT-AC68U/HelpDesk_BIOS/
RT-AC68Phttps://www.asus.com/supportonly/RT-AC68P/HelpDesk_BIOS/
RT-AC1900Phttps://www.asus.com/supportonly/RT-AC1900P/HelpDesk_BIOS/
RT-AC1900https://www.asus.com/supportonly/RT-AC1900/HelpDesk_BIOS/
To help owners of these routers take necessary precautions, we compiled a security checklist:
(1) Reset the device to factory default: Login into the web GUI (http://router.asus.com) , go to Administration → Restore/Save/Upload Setting, click the “Initialize all the setting and clear all the data log”, and then click Restore button
(2) Update all devices to the latest firmware.
(3) Ensure default admin password had been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).
 
I feel safe with my Cisco RV340 router as I am sure Cisco is on top of this. We just had a firmware update.
 
coxhaus said:
I feel safe with my Cisco RV340 router as I am sure Cisco is on top of this.
Click to expand...
Not much for them to be on top of, since that specific router uses an ARM CPU.
 
I always say Do not trust your router. There is no way to prevent from it. Unknown vulnerabilities are still shared and traded in Black market. They give you dedicated hacking tools if you pay for the money. Updating firmware? It doesn't help you at all. Aiprotection is useless too.
 
follower said:
Updating firmware? It doesn't help you at all.
Click to expand...
That it incorrect, and people should definitely keep their firmware up to date. Security issues are constantly fixed by firmware upgrades. There is a huge difference between having a router with 10 security holes that are 5+ years old and therefore exploited by every single script kiddy in the wild, and a router that only is affected by one or two recent 0-days exploits that are only used by more "professional" or state-backed hackers with the means to gain access to such zero days exploits, and will typically reserve them for specific targets that are worth risking compromising their precious exploits.

It's like saying people should just stick to Windows XP because "Windows 11 still has security issues anyway, so upgrading does not help at all".
 
I've decided to watch this thread for any updates on the situation. However, it seems for now newer routers with up to date firmware that Aren't MIPS aren't at risk, or high risk.
I got wind of this Trojan through the "Security Now" podcast with Steve Gibson.
 
What's the best way to protect against this?

Is this totally MIPS only and does not infect windows? Im running pfSense and I am 100% ive been hit with something sophisticated!

I think its at ISP level
 
deanfourie said:
What's the best way to protect against this?

Is this totally MIPS only and does not infect windows? Im running pfSense and I am 100% ive been hit with something sophisticated!

I think its at ISP level
Click to expand...
It seems unlikely that it would effect pfSense. But you could ask in the pfSense forums. Running a normal anti-virus scan on your Windows PC should identify if it is infected.
 
As a sidenote, I read somewhere here on the forum that most router malware gets stored and runs in memory. A simple router-reboot removes the malware completely.

So, enable and set your weekly reboot-schedule fellas :) It can’t hurt.
 
You must log in or register to reply here.

Similar threads

PR3MIUM
Exploiting Sequence Number Leakage: TCP Hijacking in NAT-Enabled Wi-Fi Networks
Replies
15
Views
1K
sfx2000
sfx2000
PR3MIUM
SnailLoad TCP/IP Attack
Replies
0
Views
432
PR3MIUM
PR3MIUM
R
RT-AX86U Pro LAN Port on Guest Network
Replies
9
Views
867
Jherb
J
F
  • Locked
ChatGPT. You are under attack.
2
Replies
23
Views
3K
thiggins
thiggins
R
WiFi 6 router optimization guide
2
Replies
22
Views
1K
Rob Q
R
Similar threads
Thread starter Title Forum Replies Date
T 6000 Asus routers in 72 hours!!! General Network Security 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 746 (members: 18, guests: 728)
Top