What's new

Malware damaging ASUS routers?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Okay, the reason not all the channels are listed. If you select 20MHz wide you'll see all supported channels.
 
Digging this thread up for hopefully the last time. Despite thinking I had mitigated the (what I understand as) malware, it seems to be back. As a quick recap, I've never enabled AiCloud nor enabled access via the WAN. When this thread brought the issue to my attention I changed my router login password to something stronger and this seemed to stop the issue I was seeing. A few weeks later I also changed the login name to something other than admin and made sure to update the firmware to 388.8_4. Things seemed to be going good until recently. Below are screenshots showing the behavior that I think is possibly due to malware. The screenshots show the spike in the last 24 hour activity and the daily values which show outrageously high values not indicative of my usage.

My questions are:
1. Does this look like a malware issue or could it be a router glitch?
2. If malware, would factory resetting and setting up manually rid the router of the malware?

1735059484932.png


1735059494949.png
 
Router Traffic Monitor glitch.
Thanks for the quick reply! What are your thoughts on the Oct 10-14 values? Coincidence that those high values ended after changing my password? I did also turn off my (very rarely used) OpenVPN server at the same time I changed my password.
 
Thanks for the quick reply! What are your thoughts on the Oct 10-14 values? Coincidence that those high values ended after changing my password? I did also turn off my (very rarely used) OpenVPN server at the same time I changed my password.
Hard to say. Your previously reported symptoms don't sound quite the same as the malware described in this thread.
 
Hard to say. Your previously reported symptoms don't sound quite the same as the malware described in this thread.
Thanks again for your time. I'm going to call this a win and skip the reset and reconfigure.

Edit: This very well could have been a case of the 'reboot that happened' at the time of the password change fixing the "issue".
 
Last edited:
It all started with multiple reports of unidentified upload traffic registered in Traffic Monitor. Suspected point of entry is AiCloud. People disabling it and resetting their routers or changing passwords reported back to normal operation. Then reports of routers with changed admin access credentials and broken radios started coming in. The radios stop working after the user resets the router in an attempt to restore admin access.

@CrashXRu - "Over the last week I have restored more than 4 routers with such problems"
@ColinTaylor - "Same here. On Monday alone five different people contacted me with this problem."
@ColinTaylor - "I wonder if Asus are even aware there's an issue - Yes they are."
@CrashXRu seems to know more details about it, Asus has been notified and investigating the issue as far as I understand.

"it's the same thing, the first symptoms of the problem are
*high CPU load
*incoming or outgoing traffic
*the appearance of foreign processes, for example Sofia
* last stage loss of factory configuration
"

"all models on HND suffer
there is a serious bug that Asus ignores
After long discussions, support responded that this is how it should work, although they also agreed with the unsafe method
I gave an example of different firmware versions where everything was fine, and then they broke these mechanisms
that is why factory data is lost
so far the most affected are RT-ax86u/s
"

"I have already created several tickets, with a full description of the problem, and also referred to my report in 2022, about an error in the logic of working with the factory configuration. I hope this will help fix both problems : hacking and data processing error"

The quotes above are taken from discussions linked in the first post. I had a bait RT-AX86U model router running exposed for about a week, but couldn't catch anything on it. My goal was to investigate the upload traffic. I personally didn't know about the permanent damages it is doing. Due to changes in my ISP and system I can't expose it with public IP though and seems like it's more protected in DMZ or needs more time or actual user activity. What I can assist with at this point is extracting configuration files from a working RT-AX86U if needed.

Two more people reported damaged routers yesterday, new forum members seeking eventual help restoring their routers.

Models with unidentified upload traffic mentioned in SNB Forums reports so far:
RT-AX86U
RT-AX88U
GT-AXE11000

Models with damaged radios after reset mentioned in SNB Forum reports so far:
RT-AC86U
RT-AX56U
RT-AX82U
RT-AX86U
RT-AX86S
TUF-AX5400

Whoever reads this - lock your Asus router down immediately with no services exposed to Internet whatsoever and wait for eventual Asuswrt firmware update addressing the issue. Otherwise you may end up with damaged router! The reports we see are only small % of affected routers since only small % of Asus users participate in online forums and not every consumer product user can actually do initial troubleshooting to identify the issue.
I have had a very long history with my GT-AXE16000 having the same issues, except the radios. I have MULTIPLE open tickets since my purchase of qty 2 back in Feb 2024. The first issue was performance issues, stuttering streaming games (Nvidia Shield) and streaming services, all of them, including Netflix OVER ETH - not wireless.

Here is the completed history when Asus closed my tickets and to be honest - went silent about the what ended up to be complaints of performance issues continuing - however kept defaulting to return them and they will swap them out, no troubleshooting, just RMA and done, and insisted. Like a standard response. I reset all my ASUS wireless AP's and flashed my main router to Merlin. For a while things were working fine, now I am seeing stuttering of streaming, and more outbound traffic then consumption.

Here was their last communication:

"We will also try our default setting to see if any stuttering issue occur.

Thanks

4/2

ON HOLD


4/10
Below are the analysis results and suggestions

1.Disable firewall packet logging, it will increase CPU loading and system log will full of firewall packet log and hard to debug

2.Please advise user to enable telnet function and disable net_ratelimit. if same issue after execute the telnet CMD, please submit feedback log again, but no need to enable system diagnostic, just submit it without system diagnostic.

For how to telnet please refer to [Wireless Router] How to log in ASUS router via Telnet | Official Support | ASUS Global

After using telnet to login the router, please execute below cmds and see if same issue occur.

echo 0 > /proc/sys/kernel/printk_ratelimit

echo 0 > /proc/sys/kernel/printk_ratelimit_burst



4/16


Could you confirm if same wired device lag issue after the ratelimit cmd is set?

If yes, we need a new router feedback to analyzer further. and please note to turn off the firewall packet logging, it will increase CPU loading and system log will full of firewall packet log and hard to debug

Thank you.



4/22

So user did not have significant stuttering after firmware upgrade to beta and the cmd right? is there any AiMesh topology changes during these days?




Can user roll back to previous 3004 388 firmware to see if WIFi sluttering occur?

and if roll back to 3004 388 firmware brings back stuttering, please submit a new feedback log again.

Thanks ,



4/30

for ecobee device connection issue may try this FAQ first.

[Wireless Router] How to improve compatibility of IoT device with ASUS WiFi 6(802.11 ax) router? | Official Support | ASUS Global


https://www.asus.com/support/faq/1042475/

and sorry that we are still waiting for vendor's reply. will provide analyze result asap.

*its okay if user would like to flash back to 9006 FW

Thanks



5/10

We've analyzed user's log but not able to find out root cause.

Please suggest user to send XT8 for repair for WTP test.

and for AXE16000 and ET12 user may upgrade to 9006 FW for stable usage,

We should able to release official 3006 FW in H2 /2024 "



Please keep in mind that we are available for any future questions or concerns, so please reach out to our technical support team here: Chat with Us . This will allow us to gather more details on the description of the issue you are experiencing directly, especially on more complex and targeted situations.



Your case number for your future reference: N**********5-0001. You are more than welcome to visit our Asus support website: https://www.asus.com/us/support



We are here to help!



Best regards,
Deejay L.
ASUS Product Support
Chat with Us if you need further support.

Help make us better! Let us know what we can do to improve by clicking here."


Things that worked, but now stuttering is back again. HARD resets on all mesh routers, flashed to Merlin off ASUS FW, then reset main password, of course losing ability to use the ASUS app and connect to their cloud seemed to work. However I am now experiencing stuttering all again, and this isn't wireless all hard wired for streaming devices.
 
Last edited:
Most likely your performance issues are unrelated to the malware discussed in this thread.
 
Most likely your performance issues are unrelated to the malware discussed in this thread.
my problems started there until I realized the problem wasnt going away - the issues was large outbound traffic that created poor performance streaming large amount of data. My output - transmitting of data was compounding the performance issues, very large jitter and much reduced use of bandwidth. The issue stemmed from using AICloud - the android app, and needed to reset the devices using the WPS reset method and a loading up of Merlins firmware, which wouldnt allow me to use the AIcloud android app, which was allowing access and a large amount of data going out. Suffice to say the AX line is susceptible to the MITM AIcloud attack, support was looking at the internal switch performance using 10G - however it was only part of the symptoms.
 
Asus released new firmware fixing AiCloud issues including for your model. If it was malware related in your specific case - you got lucky, at least your router didn't end up with wiped configuration making it unusable after reset. Better find AiCloud alternatives going further.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top