News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

[RMerlin]

So having said the above, am I OK OR should I do a nuclear reset and manual re-config? If I should reset, would I be ok with restoring from a backup after a nuclear reset?

Do you have reason to believe your router might be compromised? If yes, then reflashing the firmware is advised on top of doing a factory default reset, without restoring from a settings backup unless you are positive this backup was made while your router was clean, and not from a too old firmware version.

Note that if you never exposed any of the router services to the Internet, then the chances of your router being compromised are very low (could still have happened through a cross site vulnerability, for instance).

At the moment, the only publicly available information is what was published in the Trend Micro write up and Asus's security bulletin. Also note that Trend Micro analyzed one specific variant. Their write up hints at the possibility of other variants existing (potentially targeting other devices than Watchguard Firebox or Asus. routers).

Couldn't the file which does the actual writing be "renamed"?

The malware does not reflash the whole firmware in this case. They directly write into the MTD flash device.

 

[RMerlin]

There are ZERO processes on the router to deal with this threat

That's not entirely accurate. I'll just leave it at that.

 

[Yota]

That's not entirely accurate. I'll just leave it at that.

No, no, no, I do really want to know what protection there is that I don't know about.

 

[capncybo]

Do you have reason to believe your router might be compromised? If yes, then reflashing the firmware is advised on top of doing a factory default reset, without restoring from a settings backup unless you are positive this backup was made while your router was clean, and not from a too old firmware version.

Note that if you never exposed any of the router services to the Internet, then the chances of your router being compromised are very low (could still have happened through a cross site vulnerability, for instance).

At the moment, the only publicly available information is what was published in the Trend Micro write up and Asus's security bulletin. Also note that Trend Micro analyzed one specific variant. Their write up hints at the possibility of other variants existing (potentially targeting other devices than Watchguard Firebox or Asus. routers).


The malware does not reflash the whole firmware in this case. They directly write into the MTD flash device.

Thanks for asking Eric,
Actually the routers I maintain all seem okay (so far)?
But (in being honest) all that I've done was look for the ktest process via...

ps |grep ktest

which scared the hell out of me at first by returning...
4014 toddler 5512 D grep ktest

But then I figured out it was just displaying the ps of the grep search... LOL
It's hard to be smart, all of the time ;-)

 

[garzjoe]

386.3_2 is based off 3.0.0.4.386_42095. A fair number of security issues have been resolved since that release, you should upgrade to 386.5.

Thanks for the prompt reply and info!

Thank you I've upgraded to 386.5, I actually just did it twice. I know that some routers have a backup partition for booting was hoping if I did the upgrade twice it might hit the other side but my understanding on how that works might be way off.

I also checked for the ktest process running and nothing returned other than what I grepped for:


garzjoe@RT-AC68U-AF70:/jffs# ps |grep -i ktest
3988 garzjoe 1464 S grep -i ktest

Fingers crossed I'm good, going to exit router and disable ssh access again.

 

[willyburz]

Sorry, don't want to repeat...but does anyone have clarity on these questions?

I'm still confused.

1. Is it ALL Asus routers, or just the Asus AC routers they have listed? For example, what about Asus AX devices?
2. If you have the latest firmware already installed, it states "please disregard?" HUH?
3. How is it delivered? Direct attack on the router, or through compromised Windows devices?
4. If you have the Asus security settings and all 15 are Green checked "I think this is the same across all Asus routers somewhere in the AI protected check list area", I take it the ports and remote acces is denied already?

 

[Yota]

ps |grep ktest

which scared the hell out of me at first by returning...

3988 garzjoe 1464 S grep -i ktest

maybe try this

ps | grep ktest | grep -v grep

Sorry, don't want to repeat...but does anyone have clarity on these questions?

I'm still confused.

1. Is it ALL Asus routers, or just the Asus AC routers they have listed? For example, what about Asus AX devices?
2. If you have the latest firmware already installed, it states "please disregard?" HUH?
3. How is it delivered? Direct attack on the router, or through compromised Windows devices?
4. If you have the Asus security settings and all 15 are Green checked "I think this is the same across all Asus routers somewhere in the AI protected check list area", I take it the ports and remote acces is denied already?

For the 4th question, I recommend anyone interested this to install Entware's lsof and run the command below to check which programs opened the router's ports.

lsof -i | grep LISTEN

 

[ColinTaylor]

For the 4th question, I recommend anyone interested this to install Entware's lsof and run the command below to check which programs opened the router's ports.

lsof -i | grep LISTEN

The same information can be obtained (in Merlin's firmware, I don't know about stock) without the need to install Entware by using the router's built-in netstat command:

netstat -nlp

N.B. Adding "| grep LISTEN" will mean that you won't see services listening on UDP ports.

 

[garzjoe]

maybe try this

ps | grep ktest | grep -v grep

I understand how to exclude using the -v option (invert match) using grep. I was just stating that the only thing returned was what I searched for (expected behavior based on the exact command used).

 

[Yota]

The same information can be obtained (in Merlin's firmware, I don't know about stock) without the need to install Entware by using the router's built-in netstat command:

netstat -nlp

N.B. Adding "| grep LISTEN" will mean that you won't see services listening on UDP ports.

Looks like busybox is a real swiss army knife, thanks for telling me this, I really didn't know there was such a good tool out there.

 

[capncybo]

The same information can be obtained (in Merlin's firmware, I don't know about stock) without the need to install Entware by using the router's built-in netstat command:

netstat -nlp

N.B. Adding "| grep LISTEN" will mean that you won't see services listening on UDP ports.

While you all were posting... I was actually just using both methods myself, LOL.
For those who just trust us nerds maybe use:

netstat -tulpn |grep ":636\|:989\|:990\|:994\|:995\|:3269\|:8443"

If just looking for the process...
netstat -tulpn |grep "ktest\|KTEST"

 

[ColinTaylor]

While you all were posting... I was actually just using both methods myself, LOL.
For those who just trust us nerds maybe use:

netstat -tulpn |grep ":636\|:989\|:990\|:994\|:995\|:3269\|:8443"

Well that's going to panic the uninitiated as port 8443 is the default HTTPS web server port. Which I guess is why the hackers were using it.

 

[garzjoe]

The same information can be obtained (in Merlin's firmware, I don't know about stock) without the need to install Entware by using the router's built-in netstat command:

netstat -nlp

N.B. Adding "| grep LISTEN" will mean that you won't see services listening on UDP ports.

Great info thank you! I read Trend Micros Appendix document and I pulled all
"known" ports. Then I double checked my router myself.

 for i in 636 989 990 992 994 995 3269 8443; do netstat -nlp | less | grep $i; done

 

[garzjoe]

Well that's going to panic the uninitiated as port 8443 is the default HTTPS web server port. Which I guess is why the hackers were using it.

Pretty sure port 443 is default for standard https traffic, I think Tomcat uses port 8443 for some cases though.

 

[capncybo]

Well that's going to panic the uninitiated as port 8443 is the default HTTPS web server port. Which I guess is why the hackers were using it.

LOL -sorry Colin my intention was to include an AND operator for "ktest" but I got over excited to post & in the meantime...
I think @garzoe likely posted a better way to check.
Programmer I definitely am not, nor ever will be.

 

[Waverly934]

Reading about these Cyclops attacks against ASUS routers.

Russian Cyclops Blink botnet launches assault against Asus routers

The only option available might be a return to factory settings for infected routers.

www.zdnet.com

ASUS Product Security Advisory | ASUS Global

www.asus.com

With the close relationship between the official/Merlin firmware, what is needed to mitigate this attack?
First, is Merlin verno "386.4" based from Official ASUS verno "3.0.0.4.386"?
Does Merlin 386.5 prevent the weakness to this exploit?

Thanks

 

[SwampKracker]

A quick read of the Asus advisory implies having Remote Management enabled is how the exploit can occur. The average user is not going into Advanced settings to enable Remote Management, I hope.

If you never enable Remote Management, the version of Asus firmware does not matter. This exploit cannot happen.

 

[ColinTaylor]

Pretty sure port 443 is default for standard https traffic, I think Tomcat uses port 8443 for some cases though.

Asus uses 8443. We're talking about services running on the router, not HTTPS in general.

 

[garzjoe]

Asus uses 8443. We're talking about services running on the router, not HTTPS in general.

My bad, did not know Asus used that port. Also once again thanks for the command earlier. I know netstat I just didn't know or even think to check for netstat being installed before you mentioned it.

Anyway I also saw in the article that the malware adds an entry to the local Firewall rules. It mentioned it deletes and then adds the entries but I don't believe it mentioned that it cleans up after itself and deletes the entries after it's done. Assuming the entry would still be in iptables I did a quick check:

 iptables -L

I did not see any entries for the specific known ports on my router. I've yet to try the script they suggested but I might try that next.

 

[maxbraketorque]

A quick read of the Asus advisory implies having Remote Management enabled is how the exploit can occur. The average user is not going into Advanced settings to enable Remote Management, I hope.

If you never enable Remote Management, the version of Asus firmware does not matter. This exploit cannot happen.

The Trend Micro article does not specifically say that the attack vector is via the remote management. My impression is that no one knows the attack vector and that it may be as simple as Cyclops Blink attempting to exploit weak passwords perhaps long with the remote login routine. I find it a bit unnerving that the attack vector is not specifically identified, so hopefully it is typical poor security practices by the device owner.

What's peripherally interesting is TM's statement that a device cannot be disinfected.