What's new

News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I have made a list of the ips to add to Skynet, I'm guessing if Skynet starts blocking such outbound ips then its safe to assume that the router is compromised , but as you said this most likelly keeps changing/adding new ips.
https://github.com/fariajose/skynet/blob/main/Cyclops-Blink-CC-servers.txt

Code:
firewall banmalware https://raw.githubusercontent.com/fariajose/skynet/main/Cyclops-Blink-CC-servers.txt
or
Code:
firewall import blacklist https://raw.githubusercontent.com/fariajose/skynet/main/Cyclops-Blink-CC-servers.txt "Cyclops"
I think this has been the most useful post in the thread so far, showing initiative. I've even reinstalled Skynet just to make sure it worked!
 
It means you've got standard copy & paste reply without much thinking or checking facts.
Haha, just as I got another reply


Dear Sender,



Sorry we forgot to mention that RT-AX53U is not in the affected list, you can feel secure to use your router.



Thank you.





Best regards,

ASUS Security | ©ASUSTeK Computer Inc.
 
I think this has been the most useful post in the thread so far, showing initiative. I've even reinstalled Skynet just to make sure it worked!
As this list of IP addresses comes from the Trend Micro document I think it's safe to assume that enabling AiProtection would have the same effect (and potentially be more up to date). I also suspect that Asus have employed "other protections" in the firmware that are active even without AiProtection being enabled.

Additionally I think it's clear from the Asus advisory that this vulnerability is not present in any of the 386 releases. The malware has been around since June 2019 so it predates the 386 firmware. So the only issue would be an infection that was picked up prior to 386. For that it's a case of looking for the presence of the "[ktest]" process and unexpected changes to the firewall's OUTPUT chain.

Of course as this malware is modular it could be changed at any time rendering the previous checks ineffective. Thus the general advice to not open ports on your router to the internet and keep your firmware up to date.

Just my 2 cents.
 
Last edited:
Additionally I think it's clear from the Asus advisory that this vulnerability is not present in any of the 386 releases. The malware has been around since June 2019 so it predates the 386 firmware.
I'm more cynical and take their first sentence as a signal that they are still vulnerable:
ASUS is investigating and working for a remediation for Cyclops Blink and will continue to post software update.
 
I believe a more critical common factor is that they are all ARM-based. The worm was probably not compiled to run on MIPS, which would expect the lack of Mediatek devices on the list.
Interesting. I have an RT-AC66U in a drawer I was thinking of using for my second premises, but I was hesitating due to it being EOL and not getting firmware fixes. If I read your comment correctly though, this router is not at risk from Cyclops-Blink because it is MIPS-based. Is that right?
 
Interesting. I have an RT-AC66U in a drawer I was thinking of using for my second premises, but I was hesitating due to it being EOL and not getting firmware fixes. If I read your comment correctly though, this router is not at risk from Cyclops-Blink because it is MIPS-based. Is that right?
Even if your router isn't vulnerable to this particular malware that's not say it isn't vulnerable to another. There was this report from only last year where an infected Asus device was attempting run MIPS malware. So at the end of the day, don't use EOL firmware on your network gateway.
 
So, I'm fairly techy but Windows based so I struggle to understand anything Linux or command line stuff on how to talk to the router and check if its infected. I've seen several commands shared in this thread but don't know which one to use or more importantly, how to use them. Would someone step me though how to do this in Windows 10 please? I just access the router via its web interface and adjust settings there, nothing command line. What software do I need installed (is enabling the built in Windows Telnet app sufficient?) and is it just copying in the correct command? Then what result am I looking for? Any help is appreciated.
 
So, I'm fairly techy but Windows based so I struggle to understand anything Linux or command line stuff on how to talk to the router and check if its infected. I've seen several commands shared in this thread but don't know which one to use or more importantly, how to use them. Would someone step me though how to do this in Windows 10 please? I just access the router via its web interface and adjust settings there, nothing command line. What software do I need installed (is enabling the built in Windows Telnet app sufficient?) and is it just copying in the correct command? Then what result am I looking for? Any help is appreciated.
Log into the router's GUI and enable SSH access. Administration > System > Enable SSH = LAN only

Then, from the Windows 10 command prompt log into the router and check to see if a [ktest] process is running or there are unexpected entries in the firewall's OUTPUT chain:
Rich (BB code):
Microsoft Windows [Version 10.0.19043.1586]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Colin>ssh admin@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ECDSA key fingerprint is SHA256:Lr6Xdv+irmUm8iIWn1skvJ2s4G/vysdMLCHy0D1eKC0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (ECDSA) to the list of known hosts.
admin@192.168.1.1's password:


ASUSWRT-Merlin RT-AX86U 386.5_0 Wed Mar  2 16:35:59 UTC 2022
admin@RT-AX86U:/tmp/home/root# ps w | grep "ktest" | grep -v grep
admin@RT-AX86U:/tmp/home/root# iptables -vnL OUTPUT | grep -Ev "OUTPUT_DNS|OUTPUT_IP"
Chain OUTPUT (policy ACCEPT 63684 packets, 85M bytes)
pkts bytes target     prot opt in     out     source               destination
admin@RT-AX86U:/tmp/home/root#

Change admin@192.168.1.1 in the example above to match your router's login name and IP address. Ideally you want the output of the ps and iptables commands to not show any results (like in the example).
 
I just access the router via its web interface and adjust settings there, nothing command line. What software do I need installed (is enabling the built in Windows Telnet app sufficient?) and is it just copying in the correct command?

As ColinTaylor said. No more Telnet these days, but SSH.

When you type your password to SSH, it won't show it. Seems like nothing happens, but it happens. Just type your pw without typos.

Now you can start typoing commands, or paste copied commands (right-clicking with mouse) or take advantage of using some commands you have typed earlier during this session by using Up Arrow of your keyboard.

If you end up to a situation where nothing happens and there seems to be no way to do anything, you can exit with Ctrl + C and you are back to root#

There you can close the connection by typing exit and one more exit to close the window.
 
Thanks guys. So after following the above instructions I got the same looking output as yours:

Rich (BB code):
ASUSWRT-Merlin RT-AC68U 386.5_0 Wed Mar  2 16:35:59 UTC 2022
XXXXXX@RT-AC68U-8920:/tmp/home/root# ps w | grep "ktest" | grep -v grep
XXXXXX@RT-AC68U-8920:/tmp/home/root# iptables -vnL OUTPUT | grep -Ev "OUTPUT_DNS|OUTPUT_IP"
Chain OUTPUT (policy ACCEPT 519 packets, 159K bytes)
pkts bytes target     prot opt in     out     source               destination
XXXXXX@RT-AC68U-8920:/tmp/home/root#

So this confirms I'm clean?
 
Got an email from Asus advising me with to follow to protect against the latest Cyclops Blink (my router is in the list), was just wondering if anyone can confirm whether the latest Merlin official firmware dated 3rd of march for RT-AX86U addresses this issue or not and whether i need go and grab the official Asus firmware instead as they detailed in thier advisory email.

So just looking for a quick confirmation please?

Thank you in advance!
 
Your router isn’t in their security bulletin. What was this e-mail you got? Also, the discussion in the linked thread covers everything that is known, which is very little.
 
Yeah this is the list of routers that I got from ASUS Urgent Advisory email and mine is in the list (86u)

Affected products
GT-AC5300 firmware under 3.0.0.4.386.xxxx
GT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC5300 firmware under 3.0.0.4.386.xxxx
RT-AC88U firmware under 3.0.0.4.386.xxxx
RT-AC3100 firmware under 3.0.0.4.386.xxxx
RT-AC86U firmware under 3.0.0.4.386.xxxx
RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
RT-AC3200 firmware under 3.0.0.4.386.xxxx
RT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
RT-AC87U (EOL)
RT-AC66U (EOL)
RT-AC56U (EOL)
 
Yeah this is the list of routers that I got from ASUS Urgent Advisory email and mine is in the list (86u)

Affected products
GT-AC5300 firmware under 3.0.0.4.386.xxxx
GT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC5300 firmware under 3.0.0.4.386.xxxx
RT-AC88U firmware under 3.0.0.4.386.xxxx
RT-AC3100 firmware under 3.0.0.4.386.xxxx
RT-AC86U firmware under 3.0.0.4.386.xxxx
RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
RT-AC3200 firmware under 3.0.0.4.386.xxxx
RT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
RT-AC87U (EOL)
RT-AC66U (EOL)
RT-AC56U (EOL)
I don't see the RT-AX86U on that list.
 
Similar threads
Thread starter Title Forum Replies Date
XIII Trend Micro exploring sale General Network Security 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top