Malware damaging ASUS routers?

[Tech9]

This malware damaging Asus routers has to be described in a sticky thread with a warning sign!

Update: Asus is releasing patched firmware for multiple models. Check for firmware updates!

The changelog for most firmware releases contains the following:

1. Strengthened input validation and data processing workflows to further protect information security.
2. Enhanced AiCloud password protection mechanisms, safeguarding against unauthorized access attempts.
3. Enhanced device security through improved buffer handling in connection features.
4. Refined data handling processes, ensuring secure and accurate information management.
5. Enhanced file access control mechanisms, promoting a more secure operating environment.
6. Strengthened certificate protection, providing enhanced data security.

Related threads on SNB Forums:

Solved - RT-AX86U dead WiFi asking for country code?

Hey everyone So a friend of mine bought an used RT-AX86U and asked me to take a look at it because the wifi led are not lighting up and the SSIDs wont show up. Installing merlinWRT didn't fix it either. Looking at the wifi settings opens a popup asking for a country code and the channels are...

www.snbforums.com

RT-AX88U maxing out a core and regularly showing 60+ MB/s upload

I had Diversion and Skynet running but have since disabled them, suspecting that may be the culprit. Essentially, I can't see any device connected to my network that is sending large amounts of data, but when I look at the traffic monitor (Analyzer) it shows this: I only have ~30Mbps of...

www.snbforums.com

Suspicious Outgoing traffic on RT-AC86U

Hello everyone, I am new here and looking for some help with my RT-AC86U. Over the last few days I started experiencing frequent internet connectivity interruptions: video audio streams interrupted, unable to refresh web page. I setup continuous ping -t google.com and this quickly revealed...

www.snbforums.com

Login denied - factory reset - Wifi radios now wont work - RT-AC86U

RT-AC86U TLDR: randomly became locked out of the Asus UI page after rebooting my ISP router- router worked as it should then did factory reset to gain control - wifi radios now don't work I was having issues with my Optimum Fiber, kept having the internet drop, lasting only a few seconds at...

www.snbforums.com

Solved - RT-AX86U - Stuck on old firmware (solved!), WiFi not working (solved!)

Hey y'all, I'm new to this forum and like many, I come here with a problem I cannot solve myself. Up until this morning, my RT-AX86U has been happily trucking along without issue for the past 3.5 years without any problems whatsoever. This morning, however, I woke up to: - No wifi network...

www.snbforums.com

Asus RT-AX86U no wifi. LEDs off.

Asus RT-AX86U no wifi. LEDs off. My router login stopped working using phone app. Only way to get logged back in was to push the tiny reset button on router. I did that, got through setup, connected to internet via Ethernet. But the wifi isn't available. LEDs for both 2.4 GHz and 5Ghz are off...

www.snbforums.com

 

[giosita]

This malware issue killing Asus routers has to be described in a sticky thread with a warning sign!

Solved - RT-AX86U dead WiFi asking for country code?

Hey everyone So a friend of mine bought an used RT-AX86U and asked me to take a look at it because the wifi led are not lighting up and the SSIDs wont show up. Installing merlinWRT didn't fix it either. Looking at the wifi settings opens a popup asking for a country code and the channels are...

www.snbforums.com

RT-AX88U maxing out a core and regularly showing 60+ MB/s upload

I had Diversion and Skynet running but have since disabled them, suspecting that may be the culprit. Essentially, I can't see any device connected to my network that is sending large amounts of data, but when I look at the traffic monitor (Analyzer) it shows this: I only have ~30Mbps of...

www.snbforums.com

Suspicious Outgoing traffic on RT-AC86U

Hello everyone, I am new here and looking for some help with my RT-AC86U. Over the last few days I started experiencing frequent internet connectivity interruptions: video audio streams interrupted, unable to refresh web page. I setup continuous ping -t google.com and this quickly revealed...

www.snbforums.com

Login denied - factory reset - Wifi radios now wont work - RT-AC86U

RT-AC86U TLDR: randomly became locked out of the Asus UI page after rebooting my ISP router- router worked as it should then did factory reset to gain control - wifi radios now don't work I was having issues with my Optimum Fiber, kept having the internet drop, lasting only a few seconds at...

www.snbforums.com

Solved - RT-AX86U - Stuck on old firmware (solved!), WiFi not working (solved!)

Hey y'all, I'm new to this forum and like many, I come here with a problem I cannot solve myself. Up until this morning, my RT-AX86U has been happily trucking along without issue for the past 3.5 years without any problems whatsoever. This morning, however, I woke up to: - No wifi network...

www.snbforums.com

Asus RT-AX86U no wifi. LEDs off.

Asus RT-AX86U no wifi. LEDs off. My router login stopped working using phone app. Only way to get logged back in was to push the tiny reset button on router. I did that, got through setup, connected to internet via Ethernet. But the wifi isn't available. LEDs for both 2.4 GHz and 5Ghz are off...

www.snbforums.com

I absolutely agree.

In addition to here on SMBForums, there are dozens of reports on other platforms.

From what I’ve read, ASUS is aware of the issue and seems to be releasing updated signatures (NOT firmware) that are installed automatically to block, at least temporarily, the malware in question.

It would be useful to know EXACTLY which malware it is and what impacts it may have had on potential leaks of users’ personal data.

Nonetheless, the level of spread and the seriousness of the problem are such that an official statement from ASUS is necessary, in my humble opinion.

 

[Tech9]

official statement from ASUS

Don't expect any statements. When popular model router was dying in bigger than usual numbers some folks just had to cash more money for a new one. The issue was never officially recognized nor users were compensated.

 

[giosita]

Don't expect any statements. When popular model router was dying in bigger than usual numbers some folks just had to cash more money for a new one. The issue was never officially recognized nor users were compensated.

I like to keep a positive outlook.

But honestly, people like me, you, and all the other knowledgeable users will know exactly what NOT to say if a friend asks, 'Which router should I get for my home connection?' -assuming support doesn’t come out with a solid answer and solution...-

It’s a simple matter of principle.

 

[giosita]

I mean: i believe that a company's reputation is also shaped by its ability to communicate with end users and take responsibility. There's nothing to criticize regarding product performance, but in 2024, I expect cybersecurity to be a top priority for well-established companies that provide networking solutions. No one is asking for a mystical, utopian, unbreakable device (as we know, the only truly secure device is an offline one...), but rather for a simple and effective solution.

 

[Tech9]

will know exactly what NOT to say if a friend asks

Overcomplicated firmware built on top of something started >20 years ago is targeted quite often by hackers. The more features are included the more potential holes are discovered. I wish Asus had Asuswrt Lite firmware available for their routers clean of any 3rd party involvement. It would be the most popular firmware option. Something like Jonh's Fork LTS firmware in the past.

 

[thiggins]

@Tech9 Can you please post links to evidence that these problems are due to malware?

 

[Tech9]

Can you please post links to evidence

It all started with multiple reports of unidentified upload traffic registered in Traffic Monitor. Suspected point of entry is AiCloud. People disabling it and resetting their routers or changing passwords reported back to normal operation. Then reports of routers with changed admin access credentials and broken radios started coming in. The radios stop working after the user resets the router in an attempt to restore admin access.

@CrashXRu - "Over the last week I have restored more than 4 routers with such problems"
@ColinTaylor - "Same here. On Monday alone five different people contacted me with this problem."
@ColinTaylor - "I wonder if Asus are even aware there's an issue - Yes they are."
@CrashXRu seems to know more details about it, Asus has been notified and investigating the issue as far as I understand.

"it's the same thing, the first symptoms of the problem are
*high CPU load
*incoming or outgoing traffic
*the appearance of foreign processes, for example Sofia
* last stage loss of factory configuration"

"all models on HND suffer
there is a serious bug that Asus ignores
After long discussions, support responded that this is how it should work, although they also agreed with the unsafe method
I gave an example of different firmware versions where everything was fine, and then they broke these mechanisms
that is why factory data is lost
so far the most affected are RT-ax86u/s"

"I have already created several tickets, with a full description of the problem, and also referred to my report in 2022, about an error in the logic of working with the factory configuration. I hope this will help fix both problems : hacking and data processing error"

The quotes above are taken from discussions linked in the first post. I had a bait RT-AX86U model router running exposed for about a week, but couldn't catch anything on it. My goal was to investigate the upload traffic. I personally didn't know about the permanent damages it is doing. Due to changes in my ISP and system I can't expose it with public IP though and seems like it's more protected in DMZ or needs more time or actual user activity. What I can assist with at this point is extracting configuration files from a working RT-AX86U if needed.

Two more people reported damaged routers yesterday, new forum members seeking eventual help restoring their routers.

Models with unidentified upload traffic mentioned in SNB Forums reports so far:
RT-AX86U
RT-AX88U
GT-AXE11000

Models with damaged radios after reset mentioned in SNB Forum reports so far:
RT-AC86U
RT-AX82U
RT-AX86U
RT-AX86S

Whoever reads this - lock your Asus router down immediately with no services exposed to Internet whatsoever and wait for eventual Asuswrt firmware update addressing the issue. Otherwise you may end up with damaged router! The reports we see are only small % of affected routers since only small % of Asus users participate in online forums and not every consumer product user can actually do initial troubleshooting to identify the issue.

 

[kuchkovsky]

Overcomplicated firmware built on top of something started >20 years ago is targeted quite often by hackers. The more features are included the more potential holes are discovered. I wish Asus had Asuswrt Lite firmware available for their routers clean of any 3rd party involvement. It would be the most popular firmware option. Something like Jonh's Fork LTS firmware in the past.

Actually, firmware is one of the main reasons to buy ASUS routers. It offers a lot of features and isn’t as primitive as TP-Link or Netgear. Otherwise, I’d go with UniFi products or something similar.

 

[Tech9]

Otherwise, I’d go with UniFi products or something similar.

You'll probably go there anyway after increased demands or after hitting actively advertised, but non-working as expected features in home AIO routers. One well known example for Asuswrt is Dual WAN. The suspected Asuswrt feature above is AiCloud. In general home AIO routers have highly disbalanced set of specs/features including Wi-Fi. They are made to work as single AP in a large coverage area. This often creates unnecessary noise, refractions, interference and retries issues. High Tx power helps with coverage to certain extent and only to lower PHY rates. Above 26dbm (400mW) it only increases the noise. Most high-end AIO routers transmit up to 980mW per radio because it's allowed in specific regions. For better performance Wi-Fi communication has to be balanced. Most clients are in 14dBm range (25mW). No matter how far the single AP can shout the client may not be able to reply back. The only thing that helps in 2-way communication is antenna gain. Most AIO routers have omnidirectional 2-3dBi antennas.

I currently have an UniFi system running at home with 4x APs at 20dBm (100mW) covering ~6000sqft area with close to maximum possible throughput to AC-class clients (520-600Mbps) and AX-class clients (780-860Mbps) in almost every room at 80MHz wide 5GHz channel non-DFS. Features are good to have, but overall performance is more important. The best AIO router features - 1) relatively low price for gateway, switch and AP combined; 2) user friendly. The rest is like swiss knife set of tools none of which is the best in what they do. Some of the features in AIO routers are used mostly for marketing purposes. This is the reason an entire Gaming Router category exists. There is no Gaming Networking and there is no Gaming Ethernet cables.

Otherwise no system is perfect and no system is protected from unknown vulnerabilities. Intrusion issues may happen to any make and model including high-end business class equipment. Multiple examples. The more popular the product the more interest around it including attack attempts.

 

[thiggins]

It all started with multiple reports of unidentified upload traffic registered in Traffic Monitor. Suspected point of entry is AiCloud. People disabling it and resetting their routers or changing passwords reported back to normal operation. Then reports of routers with changed admin access credentials and broken radios started coming in. The radios stop working after the user resets the router in an attempt to restore admin access....

Thank you

 

[laracroftonline]

I had it on my rt-axe11000 but after disabling the aicloud services and changing the password it stopped and things went back to normal.

 

[Tech9]

Seems like firmware updates started coming out already. From RT-BE96U Oct 23, 2024 update changelog:

"Enhanced AiCloud password protection mechanisms, safeguarding against unauthorized access attempts"

 

[ATLga]

This really should be a sticky and not buried in a sub forum

 

[Tech9]

Credit goes to @ColinTaylor, @dave14305, @CrashXRu for quickly identifying the abnormal behaviour. Apologies if I missed to mention all the folks who were involved. I’m the scattered threads around integrator only. The difference this time is in real damages done. Not reboot and reset fix as usual. The more people know the less damage will be done. Asus, TP-Link, Netgear or Cisco - doesn’t matter. It may happen at any time, there is no one to blame. The goal is protecting the community. I know some people around buy hardware just for the fun of it, but this is not the case for every user. In some countries good home router cost may exceed the average monthly salary.

 

[tebtengri]

While a new firmware for the BE98 Pro would be nice, hopefully it'd include stuff they've been working on since the half year old release and not just a rushed bug-fix for this issue.

Bug-fix would be better than nothing though.

I keep my services pared down, even have UPNP media turned off as well as SMB disk share off. Would disabling HTTP access and only allowing HTTPS(and a non-standard port) be of any benefit or is that just overkill?

 

[Tech9]

Would disabling HTTP access and only allowing HTTPS(and a non-standard port) be of any benefit or is that just overkill?

This would make sense only if the attack is confirmed coming from an infected client device inside the network. Access from WAN disabled, AiCloud disabled, new passwords, wipe clean on strange behaviour and reinstall - good enough measures for what we know so far. OpenVPN server is perhaps safe too.

 

[jksmurf]

AiCloud disabled

I tried to ask in one of the threads referred to above, but will try again as I think it important folks know what to disable.

Is there a definitive list of what exactly disabling AiCloud entails and specifically whether it includes disabling asuscomm.com ddns?

For my case, I have all of (under the AiCloud 2.0 Tab)

(i) Cloud Disk
(ii) Smart Access; and
(iii) AiCloud Sync

turned off (never used them except about 5 or so years go to try it out).

I do have AiCloud 2.0 DDNS name (using asuscomm.com) enabled and running; hence the query, as the same AiCloud 2.0 Tab refers to:

• Enter AiCloud 2.0 https://yourddnsnamehere.asuscomm.com:yourdnsport
  To modify the ddns name, please click here.

Thanks .

k.

 

[Tech9]

I do have AiCloud 2.0 DDNS name

This is not AiCloud specific DDNS name. Asus provides free DDNS service and it's used to access AiCloud just like any other DDNS service you may have in use. If you used No-IP DDNS service the GUI would probably say "Enter AiCloud 2.0 https://yourdomain.ddns.net:8443" or whatever port is used for HTTPS. I believe DDNS service is unrelated to the issue above and can be left running along with OpenVPN server, etc. known safe services.

 

[Tech9]

https://yourddnsnamehere.asuscomm.com:yourddnsport

Many intrusions happen when the user is not careful. By the way, on mouse over I see in browser's window your real DDNS name, the port and your internal LAN IP. I can get your external WAN IP as well in minutes. Not very useful information at this point, but you may post online in exactly the same way something better next time.