Can router firmware be infected with malware?

[jabloomf1230]

The reason that I am asking is that something strange just happened to me. I am running an Asus RT-N66U and have been since the model was first available. Today I visited a website and I got a message from the server's firewall software (dotDefender) that I attempted to do something that was blocked because of possible malware. I ran a full virus and malware scan on my PC and all that software is automatically kept up to date. There was no malware found.

I tried using my iPhone via my home network, to access the website and I also got the same message from dotDefender. I doubt that my iPhone has identical malware on it as my PC desktop could. Using the iPhone via 3G gave no such error.

So, thinking it was a problem with the company's website, I contacted them. We concluded that there was probably some conflict between their firewall and something that my ISP (Roadrunner) was doing.

But then I thought about the fact that router firmware is open source and I began wondering if anyone has considered whether it is possible to infect a router with malware (not that this is what happened to me)?

 

[RMerlin]

Hi,

Not really possible, since the firmware is read-only. Therefore a malware wouldn't be able to modify it or write additional files to it.

This being said, in theory, it _might_ be possible for a worm to use a security hole in the router to store itself in the /tmp directory and run itself from there. This would however be wiped out the minute the router gets rebooted.

So overall, I'd say the likelihood of this happening is very slim.

If you were visiting the same website, I'd say it's more likely that the website in question was the one harboring malware. It's not unknown of for malware to infect various websites, which in turn would attempt to infect your computer whenever visiting that website. Myself, I remember a major hardware manufacturer's website trying to serve malware when I was visiting it. Took a day or two for the company's webadmin to notice it, and clean it from their server.

There is also the chance of a false positive. Something on that website could have triggered your security software.

Most likely your security software should provide much more detail in its log as to what was actually triggered.

 

[jabloomf1230]

Thanks. That's what I figured, but I did Google the topic and it has happened, mostly as you described. It seems like the main defense is to disable remote management.

BTW, it wasn't my security software that triggered the error message. It was the website's server firewall dotDefender that generated the malware message.

 

[dunkin]

The reason that I am asking is that something strange just happened to me. I am running an Asus RT-N66U and have been since the model was first available. Today I visited a website and I got a message from the server's firewall software (dotDefender) that I attempted to do something that was blocked because of possible malware. I ran a full virus and malware scan on my PC and all that software is automatically kept up to date. There was no malware found.

I tried using my iPhone via my home network, to access the website and I also got the same message from dotDefender. I doubt that my iPhone has identical malware on it as my PC desktop could. Using the iPhone via 3G gave no such error.

So, thinking it was a problem with the company's website, I contacted them. We concluded that there was probably some conflict between their firewall and something that my ISP (Roadrunner) was doing.

But then I thought about the fact that router firmware is open source and I began wondering if anyone has considered whether it is possible to infect a router with malware (not that this is what happened to me)?

Remove the router, connect your PC to your LoadRunner modem directly...

 

[jabloomf1230]

Remove the router, connect your PC to your LoadRunner modem directly...

Actually, it's funny that you posted this. I ended up having to do what you said, because I have a dynamic IP address. As it turns out, when my IP address last changed about a week ago, the new IP address was on a blacklist for IP addresses that spam. The only way to fix it (short of contacting all the blacklisting websites) was to connect the PC directly to the cable modem and use IPConfig to force the RR DHCP server to give me a new IP address.

 

[mstombs]

There was at least a proof-of-concept malware using a specific version of UK major telephone provider/ ISP BT. Their router at the time allowed a full configuration to be possible using upnp, even permitting outgoing redirects and possible rogue DNS servers to be set. Not sure what upnp Asuswrt use - but a big plus for miniupnpd is that it only implements a clear subset of the full-upnp spec and allows fine control over what is used. Asuswrt has both miniupnp and libupnp in the source tree, the latter includes pre-built objects? Maybe one used for the media server app of upnp not the port forwarding helper?

 

[RMerlin]

There was at least a proof-of-concept malware using a specific version of UK major telephone provider/ ISP BT. Their router at the time allowed a full configuration to be possible using upnp, even permitting outgoing redirects and possible rogue DNS servers to be set. Not sure what upnp Asuswrt use - but a big plus for miniupnpd is that it only implements a clear subset of the full-upnp spec and allows fine control over what is used. Asuswrt has both miniupnp and libupnp in the source tree, the latter includes pre-built objects? Maybe one used for the media server app of upnp not the port forwarding helper?

Asuswrt uses miniupnp. libupnp only gets compiled on the Ralink platform, and I suspect they only use some of its includes or something like that since they don't actually copy any of the files to the firmware tree.

Note that the example you mention isn't about a router being infected by a malware, but it's a computer that gets infected, and then proceeds to reconfigure the router through a security hole. The firmware code remains untouched.

 

[tamalero]

just suggesting guys, are you sure this is a router issue and not a website issue?

thanks to the java scare and a few of Joomla vulnerabilities..
tons of sites were redirecting to adware sites (not to mention random ads like the poker888 that are instantly flawed as Trojans or similars..)

 

[NXIL]

milw0rm on DD-WRT

Hi--and RMerlin, thanks for all your awesome work!

DD-WRT was compromised by an exploit a few years ago:

http://www.dd-wrt.com/site/content/dd-wrt-httpd-vulnerability-milw0rmcom-report

Here's a pretty nasty router hack reported this week:

http://www.h-online.com/security/news/item/4-5-million-routers-hacked-1722430.html

I am sure the WPS issue has been discussed at length.

RMerlin said:

Not really possible, since the firmware is read-only. Therefore a malware wouldn't be able to modify it or write additional files to it.

This, and RMerlin's code being open source/available for review (by those with the requisite knowledge) make it more secure. (Perfect? No...I think NASA's code approaches perfection, but, at a huge cost....)

I am not sure if RMerlin's code includes binary blobs--they are pretty common from what I understand--if so, that is a potential source of security issues. (Potential....please note I said potential!)

Yesterday, 60 Minutes did report on internet security, and Chinese firms making basic network backbone gear--and possibly having Trojans embedded in the firmware--

http://www.cbsnews.com/8301-18560_1...y-espionage-risk/?tag=contentMain;contentBody

Regardless, for end users, common things are common, and going after browser holes or exploiting the real weak link in all this--the end user--free iPads anyone?--is going to be easier than trying to hack pretty solid and battle tested router firmware.

Again, thanks RMerlin!

 

[RMerlin]

Hi--and RMerlin, thanks for all your awesome work!

DD-WRT was compromised by an exploit a few years ago:

http://www.dd-wrt.com/site/content/dd-wrt-httpd-vulnerability-milw0rmcom-report

Just to make sure that everyone is actually discussing the same thing: the original question was specifically on whether a router firmware can be infected with malware. For this, the answer is "no", since the firmware is read-only.

Now as for exploits taking advantages of security holes within a firmware, this is definitely possible. There has been a few issues like that in the past. The DD-WRT case here was such a security hole.

I am not sure if RMerlin's code includes binary blobs--they are pretty common from what I understand--if so, that is a potential source of security issues. (Potential....please note I said potential!)

There are quite a few binary blobs. I am probably forgetting some, but a partial list of these are:

• the wireless driver
• Asuswebstorage
• two lighttpd modules used by AiCloud
• the "wl" wireless control utility
• the ctf kernel module used when Hardware acceleration is enabled
• the wps_monitor executable

Everything else is compiled from sources. In the case of my particular firmware, I have also updated OpenSSL to the latest 1.0.0 release to close any security hole still unpatched in the version Asus uses.

For people worried about security, I could give the following tips:

• Only forward ports you absolutely need to. For example: for bittorrent.
• For any kind of remote access, setup a VPN rather than forwarding the Remote Desktop or VNC ports.
• PPTP VPN has been recently found to be easily compromised. If running a firmware that supports it, I recommend switching to OpenVPN, which is far more secure.
• SSH can be fairly secure, especially if you use keys and disable password-based logins. But be aware of the possibility of a brute force attack - make sure that password is secure enough to make it unpractical to brute-force your way through it.
• Never use telnet outside of your local network (and assuming you are 100% sure that nobody has infiltrated your network). If SSH is available as an alternative, disable telnet and switch to SSH. It will make sure the password is sent encrypted - telnet is in clear text.
• Do not forget to change your router's password! You'd be surprised how many users don't do this. Fortunately, Asus are wisely asking you to do so when you use their QIS wizard. And setting it back to "admin" is a real bad idea...
• Secure that wifi. WEP is about as good as shouting out loud your bank PIN...
• The usual PC-related security recommendations still hold: keep your OS up-to-date, use an alternative browser rather than IE if possible, and don't trust anything that claims to give you for free something that usually isn't. If your mom never told you about a rich uncle in Nigeria, then he probably doesn't exist.