I think this has been the most useful post in the thread so far, showing initiative. I've even reinstalled Skynet just to make sure it worked!
News Trend Micro: Cyclops Blink Sets Sights on Asus Routers
- Thread starter XIII
- Start date
PRSXFENG
Occasional Visitor
Haha, just as I got another reply
Dear Sender,
Sorry we forgot to mention that RT-AX53U is not in the affected list, you can feel secure to use your router.
Thank you.
Best regards,
ASUS Security | ©ASUSTeK Computer Inc.
ColinTaylor
Part of the Furniture
As this list of IP addresses comes from the Trend Micro document I think it's safe to assume that enabling AiProtection would have the same effect (and potentially be more up to date). I also suspect that Asus have employed "other protections" in the firmware that are active even without AiProtection being enabled.
Additionally I think it's clear from the Asus advisory that this vulnerability is not present in any of the 386 releases. The malware has been around since June 2019 so it predates the 386 firmware. So the only issue would be an infection that was picked up prior to 386. For that it's a case of looking for the presence of the "[ktest]" process and unexpected changes to the firewall's OUTPUT chain.
Of course as this malware is modular it could be changed at any time rendering the previous checks ineffective. Thus the general advice to not open ports on your router to the internet and keep your firmware up to date.
Just my 2 cents.
Last edited:
I'm more cynical and take their first sentence as a signal that they are still vulnerable:
Slartibartfast
Occasional Visitor
Interesting. I have an RT-AC66U in a drawer I was thinking of using for my second premises, but I was hesitating due to it being EOL and not getting firmware fixes. If I read your comment correctly though, this router is not at risk from Cyclops-Blink because it is MIPS-based. Is that right?
ColinTaylor
Part of the Furniture
Even if your router isn't vulnerable to this particular malware that's not say it isn't vulnerable to another. There was this report from only last year where an infected Asus device was attempting run MIPS malware. So at the end of the day, don't use EOL firmware on your network gateway.
Tech9
Part of the Furniture
This is what most Internet users have with ISP provided gateways, unfortunately.
Never Ready Eddie
New Around Here
So, I'm fairly techy but Windows based so I struggle to understand anything Linux or command line stuff on how to talk to the router and check if its infected. I've seen several commands shared in this thread but don't know which one to use or more importantly, how to use them. Would someone step me though how to do this in Windows 10 please? I just access the router via its web interface and adjust settings there, nothing command line. What software do I need installed (is enabling the built in Windows Telnet app sufficient?) and is it just copying in the correct command? Then what result am I looking for? Any help is appreciated.
ColinTaylor
Part of the Furniture
Log into the router's GUI and enable SSH access. Administration > System > Enable SSH = LAN only
Then, from the Windows 10 command prompt log into the router and check to see if a
[ktest] process is running or there are unexpected entries in the firewall's OUTPUT chain:
Rich (BB code):
Microsoft Windows [Version 10.0.19043.1586]
(c) Microsoft Corporation. All rights reserved.
C:\Users\Colin>ssh admin@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ECDSA key fingerprint is SHA256:Lr6Xdv+irmUm8iIWn1skvJ2s4G/vysdMLCHy0D1eKC0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (ECDSA) to the list of known hosts.
admin@192.168.1.1's password:
ASUSWRT-Merlin RT-AX86U 386.5_0 Wed Mar 2 16:35:59 UTC 2022
admin@RT-AX86U:/tmp/home/root# ps w | grep "ktest" | grep -v grep
admin@RT-AX86U:/tmp/home/root# iptables -vnL OUTPUT | grep -Ev "OUTPUT_DNS|OUTPUT_IP"
Chain OUTPUT (policy ACCEPT 63684 packets, 85M bytes)
pkts bytes target prot opt in out source destination
admin@RT-AX86U:/tmp/home/root#Change
admin@192.168.1.1 in the example above to match your router's login name and IP address. Ideally you want the output of the ps and iptables commands to not show any results (like in the example).
Diamond67
Senior Member
As ColinTaylor said. No more Telnet these days, but SSH.
When you type your password to SSH, it won't show it. Seems like nothing happens, but it happens. Just type your pw without typos.
Now you can start typoing commands, or paste copied commands (right-clicking with mouse) or take advantage of using some commands you have typed earlier during this session by using Up Arrow of your keyboard.
If you end up to a situation where nothing happens and there seems to be no way to do anything, you can exit with Ctrl + C and you are back to root#
There you can close the connection by typing exit and one more exit to close the window.
Never Ready Eddie
New Around Here
Thanks guys. So after following the above instructions I got the same looking output as yours:
So this confirms I'm clean?
Rich (BB code):
ASUSWRT-Merlin RT-AC68U 386.5_0 Wed Mar 2 16:35:59 UTC 2022
XXXXXX@RT-AC68U-8920:/tmp/home/root# ps w | grep "ktest" | grep -v grep
XXXXXX@RT-AC68U-8920:/tmp/home/root# iptables -vnL OUTPUT | grep -Ev "OUTPUT_DNS|OUTPUT_IP"
Chain OUTPUT (policy ACCEPT 519 packets, 159K bytes)
pkts bytes target prot opt in out source destination
XXXXXX@RT-AC68U-8920:/tmp/home/root#So this confirms I'm clean?
ColinTaylor
Part of the Furniture
As far as we can tell from the limited information that's been publicly disclosed.
Never Ready Eddie
New Around Here
Thanks for the help. Much appreciated!
I'll keep an eye on the thread in case anything changes or we get new information.
Please...Cyberghost77
Occasional Visitor
Got an email from Asus advising me with to follow to protect against the latest Cyclops Blink (my router is in the list), was just wondering if anyone can confirm whether the latest Merlin official firmware dated 3rd of march for RT-AX86U addresses this issue or not and whether i need go and grab the official Asus firmware instead as they detailed in thier advisory email.
So just looking for a quick confirmation please?
Thank you in advance!
So just looking for a quick confirmation please?
Thank you in advance!
Cyberghost77
Occasional Visitor
Yeah this is the list of routers that I got from ASUS Urgent Advisory email and mine is in the list (86u)
Affected products
GT-AC5300 firmware under 3.0.0.4.386.xxxx
GT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC5300 firmware under 3.0.0.4.386.xxxx
RT-AC88U firmware under 3.0.0.4.386.xxxx
RT-AC3100 firmware under 3.0.0.4.386.xxxx
RT-AC86U firmware under 3.0.0.4.386.xxxx
RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
RT-AC3200 firmware under 3.0.0.4.386.xxxx
RT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
RT-AC87U (EOL)
RT-AC66U (EOL)
RT-AC56U (EOL)
Affected products
GT-AC5300 firmware under 3.0.0.4.386.xxxx
GT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC5300 firmware under 3.0.0.4.386.xxxx
RT-AC88U firmware under 3.0.0.4.386.xxxx
RT-AC3100 firmware under 3.0.0.4.386.xxxx
RT-AC86U firmware under 3.0.0.4.386.xxxx
RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
RT-AC3200 firmware under 3.0.0.4.386.xxxx
RT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
RT-AC87U (EOL)
RT-AC66U (EOL)
RT-AC56U (EOL)
Tech9
Part of the Furniture
Are you sure?
TexasFlood
Regular Contributor
I don't see the RT-AX86U on that list.
Cyberghost77
Occasional Visitor
ah yeah my bad, well spotted and thank you! It has been a long day. Thanks again!
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
|
Trend Micro exploring sale | General Network Security | 2 |