Is considering creating an anti-malware program for Asuswrt-Merlin firmware

[Yota]

Asuswrt and Merlin usually have more frequent security updates than any soho routers on the market, but I have found that many forum members have reported malware in the past few years. some are in the form of scripts and some are binary files. because of the persistent jffs , malware and viruses are easier to survive after restarting. but I also doubt the necessity of this project, because these malwares are not widespread on properly configured routers.

I have some ideas about this anti-malware program:

• To build a trust chain and database, calculate the hash of all executable files in the firmware and match it with the known hash on the database to ensure that the firmware comes from stocks, Merlin and any trusted forks.
• Try to build the same trust chain for any executable files and scripts in the writable partition, and warn about unknown executable files.
• Maybe even a scan of the CFE? But there is no idea about this, because it involves decrypting CFE, and because CFE is different on each device, it is obvious that hash matching cannot be used.
• Download the hash database of known malware and safe files for scanning.
• Ask the user to submit the hash and file copy of the unknown executable file to the server for further analysis and understanding of trends.
• Monitor all ports opened on the WAN.
• Monitor abnormal traffic, It may be necessary to create a 7-day or 30-day network behavior data model locally on the router to ensure that the user is notified when the behavior exceeds the expected behavior
• Scan for any hooks in the nvram.
• Support sending alerts via email.
• Open source, free, use shell to achieve (because I don't know much about other computer languages, I don't think I have the ability to use C to complete it ), and figure out how to prevent shell scripts from being maliciously tampered with.
• Cooperate with any interested and capable developers ❤
• Because this requires building a huge database to ensure that any new version of the firmware will not be marked as "unknown", this requires a long-term support. This makes me feel a headache. and involves interaction with the server, such long-term investment may not be very realistic for this small-scale free software, but maybe there are any interactive hosting services similar to Github?
• Privacy, privacy, privacy, I am very concerned about privacy, and I hope that most of the anti-malware functions can be completed without uploading. Only when encountering a potential threat, ask the user for the hash or even the copy of the threat to minimize data collection.
• Cross-platform support? when the database is complete, may consider supporting other platforms, such as OpenWRT, Tomato, and other third-party firmware. Of course, this will be new world and may require many, many years of hard work.

Listen, this is just an idea, and it doesn't mean I might do it, no promise here. I just want to discuss this idea with the community.


Merry Christmas to everyone!

 

[Yota]

It may be a bit crazy, because I don't think anyone really tries to develop anti-malware software for routers, I just like to come up with some weird ideas at Christmas.

 

[itpp20]

The idea is good, the problem is we're trying to do everything on one device which is bad when one component fails or gets vulnerable your usually toast.

 

[L&LD]

I like crazy with a worthy goal.

I'll be following this with interest!

Merry Christmas to one and all on this great forum! May 2022 bring us a better year!

 

[Tech9]

I have some ideas

All this done locally on device means full packet processing with no NAT acceleration tricks - no more Gigabit capable router.

 

[CriticJay]

Is this a Solution looking for a problem to solve... or an actual problem in need of a solution?

 

[Yota]

The idea is good, the problem is we're trying to do everything on one device which is bad when one component fails or gets vulnerable your usually toast.

Thank you and Yes, this is a cat and mouse game with malware developers, so long-term support and frequent updates are required, that's why I hope this project can be open source and powered by the community.

And as the project evolves from shell to C, and even includes it in firmware and runs with kernel permissions in the future, we will have better countermeasures against malware, there is no 100% secure, however, we can make users more secure.

As the CPU frequency of routers continues to increase, the main threat of malware in the future will shift from computers and phones to embedded devices, IoT devices and network devices that lack security protection.
(As a digression, I found a PC that I bought in 2003 in the warehouse a few days ago. Out of curiosity, I powered it on and it boot smoothly. I ran some tests and was surprised to find that its AES-NI speed is not even as fast as RT-AC86U)

So I can predict that maybe in the next 3 or 5 years, a complete anti-malware company will be born to provide protection for these devices, but why don't we implement it in open source now?

We have everything we need, including decades of experience fighting malware on PCs. As advanced users, we know our firmware and equipment better than some anti-malware companies that have never heard of asuswrt. we have a very professional and prosperous community, and it is full of experts who are willing to help others. I believe we can do it.

I like crazy with a worthy goal.

I'll be following this with interest!

Merry Christmas to one and all on this great forum! May 2022 bring us a better year!

Thank you and welcome to provide more suggestions and join this project.

All this done locally on device means full packet processing with no NAT acceleration tricks - no more Gigabit capable router.

Thank you, I think this may not be a problem for most users, and there should be no need for deep packet analysis in the short term, because doing so requires more database samples.

Scanning for files and statistics traffic alone may be sufficient to deal with current threats. As threats increase, deep packet scanning and other advanced network analysis can be considered in the future.

Of course, router CPUs are fast enough nowadays, and I doubt that someone will use their 1Gbps bandwidth completely? Unless the 7/24 download torrents, I can't think of other needs. Even a 50% speed reduction is enough to support 4K streaming and most home Internet use. And the CPU of the router will be more powerful in the future.

Is this a Solution looking for a problem to solve... or an actual problem in need of a solution?

This is an idea, and a mobilization, and I am considering implementing it with any interested developers.




Merry Christmas, guys.

 

[Tech9]

we can make users more secure

Asuswrt already has built-in integrity check and lightweight TM engine does the rest. It has to be optimized to home router resources. Even faster home routers today are similar to Raspberry Pi hardware with limited amount of RAM. None can do full packet processing like x86 firewalls and NAT acceleration is a Broadcom mystery box. I believe, what was made available already is more than enough to keep the home users secure.

 

[Yota]

Asuswrt already has built-in integrity check and lightweight TM engine does the rest. It has to be optimized to home router resources. Even faster home routers today are similar to Raspberry Pi hardware with limited amount of RAM. None can do full packet processing like x86 firewalls and NAT acceleration is a Broadcom mystery box. I believe, what was made available already is more than enough to keep the home users secure.

I think anyone who can make their own scripts on this forum knows how to circumvent these restrictions in the firmware. The TM engine is just trying to protect LAN devices from accessing malicious websites, and this is not what I want to do, because both TM and Skynet are doing very well, and I don't want to be their substitutes. However, there are some protections for routers in TM, such as turning off services that have been turned on, but any experienced developer can easily bypass these protections. I think I am more focused on scanning local malware rather than as a firewall, so that I can temporarily avoid Broadcom’s "magic" box.

 

[Tech9]

Malware modifying firmware is a rare case with not careful users leaving default login credentials and open access from WAN. A bit of education is what’s needed. Asuswrt already has good pointers what is not recommended, it enforces user/password change at setup screen, as well as secure Wi-Fi with password strength assessment. As @CriticJay says above, it looks like a solution looking for a problem.

 

[Yota]

Malware modifying firmware is a rare case with not careful users leaving default login credentials and open access from WAN. A bit of education is what’s needed. Asuswrt already has good pointers what is not recommended, it enforces user/password change at setup screen, as well as secure Wi-Fi with password strength assessment. As @CriticJay says above, it looks like a solution looking for a problem.

Agree, but more consumers just see some reviews choosing to buy "powerful" asus routers, and then set them up once and for all. Some people may never consider upgrading (thanks to the automatic upgrade and the built-in protection functions in the firmware), and some people have never even used functions other than wifi . I don't think there is any documentation that can give them enough education. unfortunately these people are in the majority. I can guarantee that they have not even heard of the SNB forum, even if they are using their powerful Asus router. So if this anti-malware is good enough and even becomes their recommended configuration for the first setup, I think it can provide them with more protection.

As for what I am looking for, I am verifying the feasibility of this project, looking for developers to work with and try to discuss any problem may encounter, so I appreciate any suggestions. this project may only be a concept, or become the first real anti-malware for routers, who knows.

Edit:
Ten years ago, most router malware could be easily removed by rebooting, because most of them were only infected through unfixed vulnerabilities in the device and only existed in ram. now, the threat of malware is more serious. With the existence of persistent partitions and USB extensions, restarting can no longer kill these malware, but we still have a reset as a solution.

As for whether it can be proved that malware has modified the asuswrt firmware, I don’t know, but it’s worth noting that because we don’t have any anti-malware analysis on the router, we will never know how many users have been threatened. but we do occasionally see threads in the SNB forums where users report that routers may have been hacked.

However many consumers may never care about their router being infected, they will only complain about the router when there is no wifi.

Edit: Fix typos

 

[Tech9]

they will only complain about the router when there is no wifi.

Correct. Most users don't know what firmware is. Most networks around me are called BELLxxx and Rogersxxxx - ISP routers set by ISP technicians. If YouTube/Netflix and Facebook/Instagram work - all good. People who constantly tinker with networking equipment are perhaps in single %.

 

[itpp20]

The point is, detection, no matter what kind, has become pointless a long time ago. The future has been and still is isolation/sandboxing. You should not care anymore what you click on or what gets run if that specific environment is isolated, a single killswitch when in doubt or when done will clean anything, good or bad.

Of course you should practice safety when dealing with credentials but that should be the only concern.

The problem that remains with isolation is user friendliness, when I download something I have to go thru 3 steps before I can access it, people don't want this, they want Word to start with one click and when this behavior does not change you will keep having direct risk. The integration we have and are used to, is the last remaining risk and also the reason why a compromise can easily travel.

Bad design doesn't help, for example you can isolate Office but when a single component (OfficeClickToRun) runs as system (or root) your toast anyway with a single zero day, it took me a year to get that POS to run in an isolated session with the rest of the Office package. Which idiot designed that?

As long as developers don't think zero trust, we're going to be stuck with technology that acts after the fact instead of preventing the fact to be able to do anything.

 

[Yota]

Correct. Most users don't know what firmware is. Most networks around me are called BELLxxx and Rogersxxxx - ISP routers set by ISP technicians. If YouTube/Netflix and Facebook/Instagram work - all good. People who constantly tinker with networking equipment are perhaps in single %.

Yes, this is exactly what I am worried about. If I create this anti-malware program, it will probably only be used by single %, and these users are obviously capable of learning how to protect themselves.

The only way is to cooperate with the supplier to build the program into the router. But as you said, asuswrt already has many similar functions, and I even know that asuswrt will remove some known malware.

The point is, detection, no matter what kind, has become pointless a long time ago. The future has been and still is isolation/sandboxing. You should not care anymore what you click on or what gets run if that specific environment is isolated, a single killswitch when in doubt or when done will clean anything, good or bad.

Of course you should practice safety when dealing with credentials but that should be the only concern.

The problem that remains with isolation is user friendliness, when I download something I have to go thru 3 steps before I can access it, people don't want this, they want Word to start with one click and when this behavior does not change you will keep having direct risk. The integration we have and are used to, is the last remaining risk and also the reason why a compromise can easily travel.

Bad design doesn't help, for example you can isolate Office but when a single component (OfficeClickToRun) runs as system (or root) your toast anyway with a single zero day, it took me a year to get that POS to run in an isolated session with the rest of the Office package. Which idiot designed that?

As long as developers don't think zero trust, we're going to be stuck with technology that acts after the fact instead of preventing the fact to be able to do anything.

As I know, all user scripts running under asuswrt, even third-party program packages, are run with root privileges, so there is no sandbox and any isolation there. the only thing that can achieve a certain isolation is that the firmware cannot be easily flash. I think that's why many users can write custom scripts for themselves, they don't have to be developers, they only need to ask a few questions in this forum and copy a few lines of code to achieve their needs. Considering that no user wants to see their script interact with the system through a complex api, I think the sandbox for user scripts will not happen.

Of course I am only talking about routers and not other devices, because protecting other devices is not the job of routers, this anti-malware is designed to protect the router itself. I am more concerned that under the current firmware, almost all scripts and third-party application packages are run as root. this means that it is full of countless potential vulnerabilities. It also means that a malware can easily remove anti-malware program.

Now most router malware does not care about stealing credit cards or passwords sent by users through PCs or phones, but becomes part of a botnet or used for mining. so, the threat of infected routers to LAN devices is not very serious, such threats usually only apply to specific targets.

About the other parts, I can't agree with you more.

 

[Tech9]

The only way is to cooperate with the supplier to build the program into the router.

You have to be big as Trend Micro. They have the engine running on some Asus (AiProtection) and TP-Link (HomeCare) routers only.

 

[Yota]

You have to be big as Trend Micro. They have the engine running on some Asus (AiProtection) and TP-Link (HomeCare) routers only.

Maybe I should write a few lines of code first to verify whether this idea is feasible, try it.

the problem is how to achieve the interaction with the server? I don't plan to maintain such a server by myself, because I have no confidence in security and it is easy to provoke DDoS from some hackers. Github can be used as a code hosting and database download, but how to get hash and suspicious files reported by users? Is there any public hosting service like GitHub that can support this? so that I can focus on the router instead of maintaining a server myself.

 

[Tech9]

Maybe I should write a few lines of code first to verify whether this idea is feasible, try it.

Maybe you should prepare bottles of fine wine and focus on holidays?

 

[JGrana]

I have “experimented” with Suricata on Asuswrt-merlin. Looked at Snort as well. In both cases the limited ram available with the router (AX88U) made it difficult to keep running.
With that said, you might want to look at Suricate and/or Snort3 as a starting point.

 

[Tech9]

I don't find IDS/IPS very effective in today's encrypted communications world, unless a proxy is used, but it comes with own challenges and also requires better hardware. I still run Suricata on my firewall, but with stripped down rules. I know it can't see perhaps half of my WAN traffic. In regards of DNS-blocking I filter Tor, Torrents, Malware, etc. usual suspects. For IP-blocking I run firehol_level1 only, never had issues with it. I believe about the same functionality can be replicated to Asuswrt-Merlin compatible router using the available tools.

 

[treefu]

I have previously looked into cross compiling zeek IDS (previously aka bro-ids) for Asuswrt-merlin. It's not an insignificant task but would meet a lot of the functional requirements you mention, in particular:

• To build a trust chain and database, calculate the hash of all executable files in the firmware and match it with the known hash on the database to ensure that the firmware comes from stocks, Merlin and any trusted forks.
• Try to build the same trust chain for any executable files and scripts in the writable partition, and warn about unknown executable fi
• Maybe even a scan of the CFE? But there is no idea about this, because it involves decrypting CFE, and because CFE is different on each device, it is obvious that hash matching cannot be used.
• Download the hash database of known malware and safe files for scanning.
• Ask the user to submit the hash and file copy of the unknown executable file to the server for further analysis and understanding of trends.

Zeek-ids has a scripting language to enable much of this.

• Monitor abnormal traffic, It may be necessary to create a 7-day or 30-day network behavior data model locally on the router to ensure that the user is notified when the behavior exceeds the expected behavior

This is something zeek-ids is designed specifically to enable. It works too - I've seen it enabling analysis in Splunk (or similar) when receiving from a network tap or switch monitoring port.

• Support sending alerts via email.
• Open source, free, use shell to achieve (because I don't know much about other computer languages, I don't think I have the ability to use C to complete it ), and figure out how to prevent shell scripts from being maliciously tampered with.
• Cooperate with any interested and capable developers ❤
• Because this requires building a huge database to ensure that any new version of the firmware will not be marked as "unknown", this requires a long-term support. This makes me feel a headache. and involves interaction with the server, such long-term investment may not be very realistic for this small-scale free software, but maybe there are any interactive hosting services similar to Github?
• Privacy, privacy, privacy, I am very concerned about privacy, and I hope that most of the anti-malware functions can be completed without uploading. Only when encountering a potential threat, ask the user for the hash or even the copy of the threat to minimize data collection.
• Cross-platform support? when the database is complete, may consider supporting other platforms, such as OpenWRT, Tomato, and other third-party firmware. Of course, this will be new world and may require many, many years of hard work.

Zeek-ids (and the support community it has) comes with all of that. I'm really interested in this, but my knowledge of software deployment to Asuswrt-Merlin is limited (and I know you cannot emulate the environment for development purposes - and stay within the law!)

Anyway, I've got snort running fine on a router with 1GB of memory (aided by a 2GB USB swap file!) with the following configuration:

# Configure PCRE match limitations
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500

# Configure the detection engine  See the Snort Manual, Configuring Snort - Includes - Config
config detection: search-method ac-bnfa-q search-optimize max-pattern-len 20

# Configure the event queue.  For more information, see README.event_queue
config event_queue: max_queue 15 log 15 order_events content_length

The 2GB swap file is absolutely necessary - when snort runs out of memory it either segfaults or fails silently with a memory exception.

Zeek-ids appears to use memory very differently (it's not designed to be an IPS, which snort could do if you really wanted it to) and zeek-ids might not even suit a router's memory profile.