Menu
What's new
By:
Filters Better Search

How to remove all malware?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

Jerry12

Regular Contributor
As far as we know, the VPNFilter malware doesn't currently put ASUS routers at risk, but the FBI believes it was created by a Russian state-sponsored cyber espionage group, so we can assume attackers are gunning for all SOHO routers.


Q1. How could you remove all malware from a router? I.e. how to fully reset RAM and persistent storage?

Stage 1 adds a worm to the crontab, which survives a reboot. So at a minimum one needs to reset the crontab. A better bet is to reset all code and state in RAM and flash memory. (Is NVRAM a part of flash memory?)

According to ASUS FAQ 1035717 of 2018/05/28, recent firmware has these two options:
  • Restore: Erases the Log / NVRAM
  • Initialize: Erases the Log / NVRAM / Database
Neither of these resets the firmware, so they aren't true "factory reset" operations.

By "Database" does ASUS mean the DHCP configuration and leases?

So would it suffice to Initialize, then re-flash the latest firmware, then reboot?

Can you trust the router's firmware-upgrade procedure to not reinfect the uploaded firmware?


Q2. How can you detect malware in the router?

Checksum the firmware?


Q3. If the attackers exploit unpatched vulnerabilities, what can you do to prevent reinfection?

If standard practices like setting a strong administration password and disabling remote administration aren't sufficient, is there anything you can do other than buy a different model router?
 
The answer to most of your questions is "we don't know". So far I've not seen a single reported case of the malware infecting Asus routers. Until that happens and we get a chance to see it in action it's impossible to know how it works (and whether it's effective or not) and therefore how to detect or block it.

There is plenty of other malware that is known to effect Asus routers and I'm sure there will be more in the future. So as always, try to keep up to date with the latest firmware and don't expose any unnecessary router ports to the internet.

Q1 I believe Initialise also includes the Traffic Analyser history database. So either option should wipe out any malware, including cron entries.
 
Last edited:
Jerry12 said:
Neither of these resets the firmware, so they aren't true "factory reset" operations.
Click to expand...

The only thing Initialize won't remove is the rest of the JFFS partition - it only removes the portion containing Asus's database used by Traffic Analyzer, the Notification Center, etc...

Doing an "rm -rf /jffs/*" over SSH will wipe the whole JFFS partition.

Jerry12 said:
Stage 1 adds a worm to the crontab, which survives a reboot. So at a minimum one needs to reset the crontab. A better bet is to reset all code and state in RAM and flash memory. (Is NVRAM a part of flash memory?)
Click to expand...

Asuswrt does not have any persistent crontab file, therefore there's nothing to reset there.

NVRAM is wiped whenever you do a factory default reset, regardless of the method used (webui initialize/restore, reset button at runtime, wps button at boot time, etc...)
 
Per Ars Technica, Talos found that VPNFilter targets some ASUSWRT devices, and a newly discovered module can inject malicious payloads into traffic as it passes through an infected router. (But yes, the issue is defending against and cleaning any malware.)

> Williams [from Cisco Talos] said he has seen no evidence VPNFilter has infected devices running Tomato, Merlin WRT, and DD-WRT firmware, but that he can't rule out that possibility.

Does Asuswrt-Merlin close additional security holes or change things in a way that would require additional work for attackers?
 
You must log in or register to reply here.

Similar threads

O
Migrating/Upgrade From AX86U to AX86U Pro, Maintaining Settings Assumptions
2
Replies
20
Views
794
Squall Leonhart
Squall Leonhart
Meshkoff
Firmware update - How to keep everything in order?
Replies
12
Views
3K
underdose
underdose
K
Consolidated Reset/Restore/Upgrade Thread
Replies
1
Views
1K
Frankflash
F
kamoj
Kamoj Kamoj add-on V5 for Netgear R7800 X4S and R9000 X10
14 15 16
Replies
317
Views
95K
datitzer
D
Sas
after upgrade to 384.5beta2, can't downgrade or change firmware
Replies
15
Views
14K
rgentozala
R

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 633 (members: 33, guests: 600)
Top