Malware damaging ASUS routers?

[paliyoes]

If the router is set to US the list of available channels shown in post #256 is incorrect. What's the channel bandwidth set to?

160hz

 

[Tech9]

Okay, the reason not all the channels are listed. If you select 20MHz wide you'll see all supported channels.

 

[doczenith1]

Digging this thread up for hopefully the last time. Despite thinking I had mitigated the (what I understand as) malware, it seems to be back. As a quick recap, I've never enabled AiCloud nor enabled access via the WAN. When this thread brought the issue to my attention I changed my router login password to something stronger and this seemed to stop the issue I was seeing. A few weeks later I also changed the login name to something other than admin and made sure to update the firmware to 388.8_4. Things seemed to be going good until recently. Below are screenshots showing the behavior that I think is possibly due to malware. The screenshots show the spike in the last 24 hour activity and the daily values which show outrageously high values not indicative of my usage.

My questions are:
1. Does this look like a malware issue or could it be a router glitch?
2. If malware, would factory resetting and setting up manually rid the router of the malware?

 

[ColinTaylor]

1. Does this look like a malware issue or could it be a router glitch?

Router Traffic Monitor glitch.

 

[doczenith1]

Router Traffic Monitor glitch.

Thanks for the quick reply! What are your thoughts on the Oct 10-14 values? Coincidence that those high values ended after changing my password? I did also turn off my (very rarely used) OpenVPN server at the same time I changed my password.

 

[ColinTaylor]

Thanks for the quick reply! What are your thoughts on the Oct 10-14 values? Coincidence that those high values ended after changing my password? I did also turn off my (very rarely used) OpenVPN server at the same time I changed my password.

Hard to say. Your previously reported symptoms don't sound quite the same as the malware described in this thread.

 

[doczenith1]

Hard to say. Your previously reported symptoms don't sound quite the same as the malware described in this thread.

Thanks again for your time. I'm going to call this a win and skip the reset and reconfigure.

Edit: This very well could have been a case of the 'reboot that happened' at the time of the password change fixing the "issue".

 

[kryptto]

It all started with multiple reports of unidentified upload traffic registered in Traffic Monitor. Suspected point of entry is AiCloud. People disabling it and resetting their routers or changing passwords reported back to normal operation. Then reports of routers with changed admin access credentials and broken radios started coming in. The radios stop working after the user resets the router in an attempt to restore admin access.

@CrashXRu - "Over the last week I have restored more than 4 routers with such problems"
@ColinTaylor - "Same here. On Monday alone five different people contacted me with this problem."
@ColinTaylor - "I wonder if Asus are even aware there's an issue - Yes they are."
@CrashXRu seems to know more details about it, Asus has been notified and investigating the issue as far as I understand.

"it's the same thing, the first symptoms of the problem are
*high CPU load
*incoming or outgoing traffic
*the appearance of foreign processes, for example Sofia
* last stage loss of factory configuration"

"all models on HND suffer
there is a serious bug that Asus ignores
After long discussions, support responded that this is how it should work, although they also agreed with the unsafe method
I gave an example of different firmware versions where everything was fine, and then they broke these mechanisms
that is why factory data is lost
so far the most affected are RT-ax86u/s"

"I have already created several tickets, with a full description of the problem, and also referred to my report in 2022, about an error in the logic of working with the factory configuration. I hope this will help fix both problems : hacking and data processing error"

The quotes above are taken from discussions linked in the first post. I had a bait RT-AX86U model router running exposed for about a week, but couldn't catch anything on it. My goal was to investigate the upload traffic. I personally didn't know about the permanent damages it is doing. Due to changes in my ISP and system I can't expose it with public IP though and seems like it's more protected in DMZ or needs more time or actual user activity. What I can assist with at this point is extracting configuration files from a working RT-AX86U if needed.

Two more people reported damaged routers yesterday, new forum members seeking eventual help restoring their routers.

Models with unidentified upload traffic mentioned in SNB Forums reports so far:
RT-AX86U
RT-AX88U
GT-AXE11000

Models with damaged radios after reset mentioned in SNB Forum reports so far:
RT-AC86U
RT-AX56U
RT-AX82U
RT-AX86U
RT-AX86S
TUF-AX5400

Whoever reads this - lock your Asus router down immediately with no services exposed to Internet whatsoever and wait for eventual Asuswrt firmware update addressing the issue. Otherwise you may end up with damaged router! The reports we see are only small % of affected routers since only small % of Asus users participate in online forums and not every consumer product user can actually do initial troubleshooting to identify the issue.

I have had a very long history with my GT-AXE16000 having the same issues, except the radios. I have MULTIPLE open tickets since my purchase of qty 2 back in Feb 2024. The first issue was performance issues, stuttering streaming games (Nvidia Shield) and streaming services, all of them, including Netflix OVER ETH - not wireless.

Here is the completed history when Asus closed my tickets and to be honest - went silent about the what ended up to be complaints of performance issues continuing - however kept defaulting to return them and they will swap them out, no troubleshooting, just RMA and done, and insisted. Like a standard response. I reset all my ASUS wireless AP's and flashed my main router to Merlin. For a while things were working fine, now I am seeing stuttering of streaming, and more outbound traffic then consumption.

Here was their last communication:

"We will also try our default setting to see if any stuttering issue occur.

Thanks

4/2

ON HOLD


4/10
Below are the analysis results and suggestions

1.Disable firewall packet logging, it will increase CPU loading and system log will full of firewall packet log and hard to debug

2.Please advise user to enable telnet function and disable net_ratelimit. if same issue after execute the telnet CMD, please submit feedback log again, but no need to enable system diagnostic, just submit it without system diagnostic.

For how to telnet please refer to [Wireless Router] How to log in ASUS router via Telnet | Official Support | ASUS Global

After using telnet to login the router, please execute below cmds and see if same issue occur.

echo 0 > /proc/sys/kernel/printk_ratelimit

echo 0 > /proc/sys/kernel/printk_ratelimit_burst



4/16


Could you confirm if same wired device lag issue after the ratelimit cmd is set?

If yes, we need a new router feedback to analyzer further. and please note to turn off the firewall packet logging, it will increase CPU loading and system log will full of firewall packet log and hard to debug

Thank you.



4/22

So user did not have significant stuttering after firmware upgrade to beta and the cmd right? is there any AiMesh topology changes during these days?



Can user roll back to previous 3004 388 firmware to see if WIFi sluttering occur?

and if roll back to 3004 388 firmware brings back stuttering, please submit a new feedback log again.

Thanks ,



4/30

for ecobee device connection issue may try this FAQ first.

[Wireless Router] How to improve compatibility of IoT device with ASUS WiFi 6(802.11 ax) router? | Official Support | ASUS Global

https://www.asus.com/support/faq/1042475/

and sorry that we are still waiting for vendor's reply. will provide analyze result asap.

*its okay if user would like to flash back to 9006 FW

Thanks



5/10

We've analyzed user's log but not able to find out root cause.

Please suggest user to send XT8 for repair for WTP test.

and for AXE16000 and ET12 user may upgrade to 9006 FW for stable usage,

We should able to release official 3006 FW in H2 /2024 "



Please keep in mind that we are available for any future questions or concerns, so please reach out to our technical support team here: Chat with Us . This will allow us to gather more details on the description of the issue you are experiencing directly, especially on more complex and targeted situations.



Your case number for your future reference: N**********5-0001. You are more than welcome to visit our Asus support website: https://www.asus.com/us/support



We are here to help!



Best regards,
Deejay L.
ASUS Product Support
Chat with Us if you need further support.

Help make us better! Let us know what we can do to improve by clicking here."

Things that worked, but now stuttering is back again. HARD resets on all mesh routers, flashed to Merlin off ASUS FW, then reset main password, of course losing ability to use the ASUS app and connect to their cloud seemed to work. However I am now experiencing stuttering all again, and this isn't wireless all hard wired for streaming devices.

 

[Tech9]

Most likely your performance issues are unrelated to the malware discussed in this thread.

 

[kryptto]

Most likely your performance issues are unrelated to the malware discussed in this thread.

my problems started there until I realized the problem wasnt going away - the issues was large outbound traffic that created poor performance streaming large amount of data. My output - transmitting of data was compounding the performance issues, very large jitter and much reduced use of bandwidth. The issue stemmed from using AICloud - the android app, and needed to reset the devices using the WPS reset method and a loading up of Merlins firmware, which wouldnt allow me to use the AIcloud android app, which was allowing access and a large amount of data going out. Suffice to say the AX line is susceptible to the MITM AIcloud attack, support was looking at the internal switch performance using 10G - however it was only part of the symptoms.

 

[Tech9]

Asus released new firmware fixing AiCloud issues including for your model. If it was malware related in your specific case - you got lucky, at least your router didn't end up with wiped configuration making it unusable after reset. Better find AiCloud alternatives going further.

 

[CrashXRu]

A simple and quick way to check if your router is working

execute in ssh

ATE Get_DateCode
ATE Get_HwBom
ATE Get_HwId
ATE Get_HwVersion
ATE Get_PINCode
ATE Get_ModelName
ATE Get_SerialNumber
ATE Get_TerritoryCode

If all values are empty, then 100% the router does not have a factory configuration

Some models may not have a serial number, this is normal.

 

[bennor]

Asus posted a new product security notice for AiCloud on Jan 2nd 2025. See post in the ASUSWRT Official subforum:

News - ASUS Product Security Advisory - ASUS Router AiCloud vulnerability (01/02/2025)

Asus posted a Product Security Advisory on Jan 2, 2025 for Asus router AiCloud vulnerability. https://www.asus.com/content/asus-product-security-advisory/ 01/02/2025 ASUS Router AiCloud vulnerability Injection and execution vulnerabilities in certain ASUS router firmware series that allow...

www.snbforums.com

 

[sfx2000]

Better find AiCloud alternatives going further.

I agree...

@RMerlin - perhaps more reasons for disabling AICloud all together for the RMerlin series of releases...

 

[imardevries]

Hi everyone, I fear my RT-AX82U has also been compromised since yesterday -- noticed some connection and speed drops, and when trying to reach the router via the asus app it said it was locked because the number of wrong user/pass attempts had exceeded 10. I did/do have an active AiCloud service on the router so I'm guessing this has been the point of entry.

I fear resetting it, but are there other/better ways to get to the router's settings again apart from learning SSH commands? I have an old config file that I could send to one of the experts here if I do end up with a brick, but before that happens I would really like to try all options. Would accessing rescue mode and flashing the latest 3.0.0.4.388_25017 with the Firmware Restoration tool be a good starting point?

Many thanks in advance.

 

[Ripshod]

Factory reset can cause total loss of wifi, amongst other things. I think your best bet would be to just try upgrading the firmware manually to the 9th December release which resolves these issues. Factory reset after upgrade.

F

Release Thread 'ASUS DSL-AX82U Firmware version 3.0.0.4.388_24906 (2024/12/09)'

Dec 10, 2024

Version 3.0.0.4.388_24906
48.69 MB
2024/12/09

1. Strengthened input validation and data processing workflows to further protect information security.
2. Enhanced AiCloud password protection mechanisms, safeguarding against unauthorized access attempts.
3. Enhanced device security through improved buffer handling in connection features.
4. Refined data handling processes, ensuring secure and accurate information management.
5. Enhanced file access control mechanisms, promoting a more secure operating environment.
6. Strengthened certificate protection, providing enhanced data security...

• fruitcornbread
• Replies: 0
• Forum: ASUSWRT - Official

• 

 

[imardevries]

Hi Ripshod, many thanks; I would indeed like to do that but I am locked out of the router, I have no access to the GUI via the app or web interface. I have also tried creating an SSH connection but it was refused. Have been trying to figure out if I can manually flash via the USB port on the router but to no avail as of yet.

 

[Ripshod]

Sorry, not paying attention again. You might have no choice but to bite the bullet and factory reset, but wait to see what others say. There have been reports of the firmware upgrade fixing everything, including the wifi, but i think we should really wait for someone to pop along and confirm that.
Do you have a spare?

 

[imardevries]

No spare available unfortunately, but I could use a mobile hotspot for a while if the factory reset doesn't help -- perhaps while waiting for @ColinTaylor or @CrashXRu to save the day ;-)

 

[dosborne]

By leaving it running, you are continuing to support whatever nefarious activity is going on.
If you don't control it and have limited bandwidth, reset it. Worst case, turn it off.
You will either be able to recover it, or you won't. Waiting isn't the solution.