Malware damaging ASUS routers?

[Tech9]

That would be too simple.

Very few common users running stock Asuswrt will change the firmware temporary to 3rd party with factory reset required. Not so simple.

 

[Jbennett360]

Support fox X years minimum, but you may get 1-2 or even 0 updates during this period and the manufacturer will be still in compliance. Asus has less popular 2020 model routers with last firmware update in 2021 and still officially supported. Some ZenWiFi models had 2 years gap in firmware releases, RT-AX68U had >1 year gap, as I remember GT-AX6000 also had a very large gap. Support is there, updates... maybe.

True. But the main 'flagship' models seem to do fine.

AX86U - 2020 - 18 updates
AX88U - 2019 - 10 updates
AC86U - 2018 - 26 Updates
AC88U - 2015 - 23 Updates

 

[nomad_surfer]

It all started with multiple reports of unidentified upload traffic registered in Traffic Monitor. Suspected point of entry is AiCloud. People disabling it and resetting their routers or changing passwords reported back to normal operation. Then reports of routers with changed admin access credentials and broken radios started coming in. The radios stop working after the user resets the router in an attempt to restore admin access.

@CrashXRu - "Over the last week I have restored more than 4 routers with such problems"
@ColinTaylor - "Same here. On Monday alone five different people contacted me with this problem."
@ColinTaylor - "I wonder if Asus are even aware there's an issue - Yes they are."
@CrashXRu seems to know more details about it, Asus has been notified and investigating the issue as far as I understand.

"it's the same thing, the first symptoms of the problem are
*high CPU load
*incoming or outgoing traffic
*the appearance of foreign processes, for example Sofia
* last stage loss of factory configuration"

"all models on HND suffer
there is a serious bug that Asus ignores
After long discussions, support responded that this is how it should work, although they also agreed with the unsafe method
I gave an example of different firmware versions where everything was fine, and then they broke these mechanisms
that is why factory data is lost
so far the most affected are RT-ax86u/s"

"I have already created several tickets, with a full description of the problem, and also referred to my report in 2022, about an error in the logic of working with the factory configuration. I hope this will help fix both problems : hacking and data processing error"

The quotes above are taken from discussions linked in the first post. I had a bait RT-AX86U model router running exposed for about a week, but couldn't catch anything on it. My goal was to investigate the upload traffic. I personally didn't know about the permanent damages it is doing. Due to changes in my ISP and system I can't expose it with public IP though and seems like it's more protected in DMZ or needs more time or actual user activity. What I can assist with at this point is extracting configuration files from a working RT-AX86U if needed.

Two more people reported damaged routers yesterday, new forum members seeking eventual help restoring their routers.

Models with unidentified upload traffic mentioned in SNB Forums reports so far:
RT-AX86U
RT-AX88U
GT-AXE11000

Models with damaged radios after reset mentioned in SNB Forum reports so far:
RT-AC86U
RT-AX56U
RT-AX82U
RT-AX86U
RT-AX86S
TUF-AX5400

Whoever reads this - lock your Asus router down immediately with no services exposed to Internet whatsoever and wait for eventual Asuswrt firmware update addressing the issue. Otherwise you may end up with damaged router! The reports we see are only small % of affected routers since only small % of Asus users participate in online forums and not every consumer product user can actually do initial troubleshooting to identify the issue.

This is exactly what happened to my router (AX88U), I dont it was a malware attack but I was trying to setup ai mesh network but it was impossible to pair, I thought if I downgrade all way down to the first version of firmware then try to pair (ai mesh 1.0 vs 2.0 ), I would be able to pair them, but downgrading it opened Pandora's box, I was not able to upgrade stuck on old firmware but fortunately with firmware recovery utility saved the day. But now I am suffering from router specific partition info is lost. That is ASUS bug that had me lost router specific info..But I checked the warranty period it was expired last year.I need to recover that partition somehow..

 

[Tech9]

I thought if I downgrade all way down to the first version of firmware

Your issue sounds like self-inflicted damage. Not sure who's advice you were following, but I remember partitions structure was changed at some point. Regular firmware upgrade process was the one making the changes. Forced flashing back and forth in recovery may have messed up the router.

 

[nomad_surfer]

I was not following anyone advice but myself, but who would have thought ASUS will make such ridiculous design/decision to change partition structure in case it will get router specific info lost in case if user change firmware..
router specific info should stay the same place across firmware versions what a marvelous engineering..
Now, I am able to attach the partition but file containing router specific info missing, but the router is functional (except that wifi 2.4 and 5 mac addresses are being identical),
What I need the name of the file and what I need to write the content of the file, if I get someone filtered out file (router specific info deleted from file), I could populate those section in the file.. Since most of the info stored in NVRAM as well.

 

[Tech9]

but who would have thought ASUS will make such ridiculous design/decision to change partition structure

I don't know what damaged your router. Your router started on 384 firmware, moved to 386 and now runs on 388 - the evolution of firmware in few years time. There is no guaranteed downgrade compatibility. Asus now has "minimum required" firmware and users are not allowed to downgrade below specific firmware version. For your router there was a firmware version making the necessary changes to go forward. Users had to flash this specific one first before flashing whatever was available after. I don't find anything ridiculous in this process.

 

[nomad_surfer]

Your router started on 384 firmware, moved to 386 and now runs on 388 - the evolution of firmware in few years time. There is no guaranteed downgrade compatibility. Asus now has "minimum required" firmware and users are not allowed to downgrade below specific firmware version.

I was not aware of that at the beginning, imho some design decision should stay the same across the versions just in case list router specific info put in on one time programmable location..

 

[Tech9]

specific info put in on one time programmable location

It is, actually. The reason I don't know what damaged your router - malware of some sort of other abuse. Users don't need to look or do anything there. If you believe the problem you have is a result of an Asus bug - contact Customer Support and see what you can eventually negotiate.

 

[nomad_surfer]

that is a good idea I will get in touch with their support, will see what happens. I am positive that ASUS bug messed up the router specific partition, I was on very latest firmware (388.8_2) then I was able to revert back very first version, I did not run into any roadblock during the process it was a smooth process, the way it was supposed to be, the flash process should skip flashing process if it was forbidden downgrade..

 

[sfx2000]

This malware damaging Asus routers has to be described in a sticky thread with a warning sign!

Update: Asus is releasing patched firmware for multiple models. Check for firmware updates!

The changelog for most firmware releases contains the following:

1. Strengthened input validation and data processing workflows to further protect information security.
2. Enhanced AiCloud password protection mechanisms, safeguarding against unauthorized access attempts.
3. Enhanced device security through improved buffer handling in connection features.
4. Refined data handling processes, ensuring secure and accurate information management.
5. Enhanced file access control mechanisms, promoting a more secure operating environment.
6. Strengthened certificate protection, providing enhanced data security.

Any lists of published CVE's...

Just asking, as this could provide some level of credibility and examinations of other partners...

 

[Tech9]

Any lists of published CVE's...

No. Just the changelog in quoted post.

 

[CrashXRu]

There is very good news
I was contacted by ASUS PRIST

I was asked to explain the problem, how to restore the device

in the appeal, gave 2 methods of restoring the device
1 full, when all the settings are returned to the values before the breakdown, but for this you need any backup of the settings from this device
2 recovery from the template, which is in the source codes and firmware

described what fields to change, how to restore the system partition correctly, according to the mechanisms developed in the router.

also about how to work with the factory configuration, using 2 applets without the need for direct contact, which increases security.

 

[CrashXRu]

The method I described is based on the initial programming of the device at the factory. Using the same template.

I do not use other people's dumps of partitions, I create the partition again, create the correct labels and then use the template, and change the values in it to those on the label or in the backup

 

[Tech9]

There is very good news

Does it mean they are working on a tool eventually restoring the affected devices?

 

[RMerlin]

Does it mean they are working on a tool eventually restoring the affected devices?

They are.

 

[CrashXRu]

Does it mean they are working on a tool eventually restoring the affected devices?

Unfortunately, until recently, Asus repaired routers by desoldering the flash memory and uploading a dump with fixes
the dump was processed automatically by a special program

but this solution is used when flash memory needs to be replaced

and here the router is working, but the factory configuration is lost, so they asked how I restored it, maybe I can do something

it is impossible to automatically restore all broken routers, you can only write a template instead of the real configuration, where there will be default MAC address and PIN code

 

[bennor]

It looks like the RT-AX86U finally got the update. Looks like its only through the router GUI or Asus mobile app UI at the moment.

Release - ASUS RT-AX86U Firmware version 3.0.0.4.388_24323 (2024/11/28)

Available via the Asus app only atm

www.snbforums.com

Firmware version 3.0.0.4.388_24323
- Release Note -

Bug Fixes and Enhancements：
1. Strengthened input validation and data processing workflows to further protect information security.
2. Enhanced AiCloud password protection mechanisms, safeguarding against unauthorized access attempts.
3. Enhanced device security through improved buffer handling in connection features.
4. Refined data handling processes, ensuring secure and accurate information management.
5. Enhanced file access control mechanisms, promoting a more secure operating environment.
6. Strengthened certificate protection, providing enhanced data security.

 

[jmpr]

It looks like the RT-AX86U finally got the update. Looks like its only through the router GUI or Asus mobile app UI at the moment.

Release - ASUS RT-AX86U Firmware version 3.0.0.4.388_24323 (2024/11/28)

Available via the Asus app only atm

www.snbforums.com

Firmware version 3.0.0.4.388_24323
- Release Note -

Bug Fixes and Enhancements：
1. Strengthened input validation and data processing workflows to further protect information security.
2. Enhanced AiCloud password protection mechanisms, safeguarding against unauthorized access attempts.
3. Enhanced device security through improved buffer handling in connection features.
4. Refined data handling processes, ensuring secure and accurate information management.
5. Enhanced file access control mechanisms, promoting a more secure operating environment.
6. Strengthened certificate protection, providing enhanced data security.

XT8 hw1 has received it too, althought it is not listed in support page, and no release notes. And it didn't auto update tonight, I have done a "check for updates" manually.

 

[Tech9]

it is impossible to automatically restore all broken routers, you can only write a template instead of the real configuration, where there will be default MAC address and PIN code

Don't remember about PIN code, but MAC addresses were written in multiple locations, no?

 

[CrashXRu]

Don't remember about PIN code, but MAC addresses were written in multiple locations, no?

et0macaddr=00:11:22:99:88:10
0:macaddr=00:11:22:99:88:10
1:macaddr=00:11:22:99:88:14

secret_code=12345678