Trend Micro hacked by Fxmsp?

[WuTang LAN]

Is there a way to test if TrendMicro is actually fully disabled (i.e not calling home) once it's been turned off in the WebUI?

 

[Paliv]

I'm still leaving it shut off.

This is probably prudent. However, I’m wondering if it matters since their code is in the firmware. If a malicious actor snuck something in it may not matter if it is enabled or disable. Otherwise it’s still probably going to block malicious domains and such most of the time.

 

[L&LD]

Is there a way to test if TrendMicro is actually fully disabled (i.e not calling home) once it's been turned off in the WebUI?

Diversion and/or Skynet blocking?

 

[Marin]

TrendMicro disabled means no adaptive QoS, correct?

https://www.snbforums.com/threads/w...lect-data-for-adaptive-qos.56658/#post-491731

 

[vlad33x]

I can't find any new info on the topic of the Trend Micro "hack". Have you guys disabled your AI Protection? What's the general advise in case that Skynet & Diversion are used?
Thanks in advance for your opinion!

 

[Paliv]

I can't find any new info on the topic of the Trend Micro "hack". Have you guys disabled your AI Protection? What's the general advise in case that Skynet & Diversion are used?
Thanks in advance for your opinion!

After watching and waiting I reenabled it for a while. Merlin seems unconvinced it’s a serious issue for now. It’s very unclear what’s going on as the evidence has been seen “in the background”. I actually am trying out a non-asus router at the moment so I am not currently using it. I miss a lot about Merlin’s firmware, but I wanted to try it out.

 

[martinr]

But for a link to this topic in the Asus Merlin forum, I wouldn’t have known about this. So for nearly a month I’ve been blissfully ignorant. With that in mind and, after reading the thread, I think I will leave things as they are - all AIProtection modules active - and keep it in mind if anything abnormal happens as well as keeping an eye out for any further news.

 

[Paliv]

Here’s the wrap up from Trend Micro’s investigation. If they really are being transparent then this is good news:

https://www.cbronline.com/news/fxmsp-trend-micro

 

[L&LD]

Here’s the wrap up from Trend Micro’s investigation. If they really are being transparent then this is good news:

https://www.cbronline.com/news/fxmsp-trend-micro

That is good news.

AiProtection is enabled again.

 

[Paliv]

That is good news.

AiProtection is enabled again.

I had already enabled it again on my old 68U. Seems to be not as big of a deal, AdvIntel seemed to sensationalize the situation.

 

[ColinTaylor]

Seems to be not as big of a deal, AdvIntel seemed to sensationalize the situation.

Yeah. I don't think it did their reputation any good. (Did they have a reputation?)

"Some Russian criminals told us they hacked 3 companies and stole massive amounts of data. We believed them and published it."

 

[no_name]

Thanks paliv for posting that article, I’ve enabled AIProtection as well


Sent from my iPad using Tapatalk

 

[dave14305]

I don't know if anyone has done this before, but with all the FUD about Trend Micro collecting data, I want to log any outbound traffic from my router to see what's really happening with data sharing. I've pieced together the following iptables rule to log new outbound connections from the router that aren't DNS or NTP.

iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -m multiport ! --dports 53,123,853 -j logaccept

I expect to see checks to Merlin's fwupdate server and probably Trend Micro for Malicious site blocking (port 80), as well as signature updates. I'm hedging that I don't need a udp rule as well. If anyone has suggestions for improvements, please share. I cobbled this together from looking at existing rules from FreshJR.

Hopefully this will provide evidence in either direction about when the router is sharing data while we aren't looking. Once I have logs of what's going where, I might setup a tcpdump to a file to see what it's sending.

 

[dave14305]

The thing I've learned in the first 2 hours of running this logging is that the dcd process sends an HTTPS request to Trend every 30 minutes on the quarter hour. I captured it with tcpdump, but of course it's encrypted.

Proto Recv-Q Send-Q Local Address        Foreign Address         State       PID/Program name
tcp        0     57 <WAN-IP>:37483       150.70.183.141:443      ESTABLISHED 1082/dcd

Jun 28 09:45:26 kernel: ACCEPT IN= OUT=eth0 SRC=<WAN-IP> DST=150.70.183.140 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47414 DF PROTO=TCP SPT=35552 DPT=443
Jun 28 09:45:39 kernel: ACCEPT IN= OUT=eth0 SRC=<WAN-IP> DST=150.70.183.140 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1104 DF PROTO=TCP SPT=35553 DPT=443
Jun 28 09:45:44 kernel: ACCEPT IN= OUT=eth0 SRC=<WAN-IP> DST=150.70.183.141 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7373 DF PROTO=TCP SPT=33830 DPT=443
Jun 28 10:15:27 kernel: ACCEPT IN= OUT=eth0 SRC=<WAN-IP> DST=150.70.183.140 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=65366 DF PROTO=TCP SPT=55233 DPT=443
Jun 28 10:15:28 kernel: ACCEPT IN= OUT=eth0 SRC=<WAN-IP> DST=150.70.183.141 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16438 DF PROTO=TCP SPT=36328 DPT=443
Jun 28 10:45:24 kernel: ACCEPT IN= OUT=eth0 SRC=<WAN-IP> DST=150.70.183.141 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35684 DF PROTO=TCP SPT=37483 DPT=443
Jun 28 10:45:26 kernel: ACCEPT IN= OUT=eth0 SRC=<WAN-IP> DST=150.70.183.140 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64589 DF PROTO=TCP SPT=39128 DPT=443
Jun 28 11:15:27 kernel: ACCEPT IN= OUT=eth0 SRC=<WAN-IP> DST=150.70.183.141 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44642 DF PROTO=TCP SPT=40013 DPT=443

Eventually, I plan to turn off AIProtection and see if the traffic stops with Adaptive QoS still enabled.

 

[dave14305]

With AiProtection disabled, dcd keeps triggering the HTTPS request every 30 minutes, but to be fair, I haven't "been allowed" to reboot the router to see how it behaves when AiProtection is disabled at boot time.

 

[RMerlin]

With AiProtection disabled, dcd keeps triggering the HTTPS request every 30 minutes, but to be fair, I haven't "been allowed" to reboot the router to see how it behaves when AiProtection is disabled at boot time.

Try rejecting the Trend Micro EULA on the Privacy tab.

Keep in mind the Trend Micro engine isn't just used for AiProtection, it's also used for other features such as Adaptive QoS, Web History, Parental Control, etc...

 

[dave14305]

Try rejecting the Trend Micro EULA on the Privacy tab.

Keep in mind the Trend Micro engine isn't just used for AiProtection, it's also used for other features such as Adaptive QoS, Web History, Parental Control, etc...

Sure, that will be my last step. I'm first wondering if the outbound connections only relate to AiProtection or if A.QoS will still require those connections.

I even tried to intercept the URL by blacklisting ntd-asus-2014b-en.fbs20.trendmicro.com in Diversion, setting the router to use dnsmasq, and upping Pixelserv-tls logging to 4 to see the full GET/PUT request, but dcd was smart enough (apparently) to abort when the name didn't resolve correctly. Once I removed the blacklist, it started connecting again.

 

[dave14305]

Try rejecting the Trend Micro EULA on the Privacy tab.

Keep in mind the Trend Micro engine isn't just used for AiProtection, it's also used for other features such as Adaptive QoS, Web History, Parental Control, etc...

Withdrawing consent certainly ends all the outbound traffic since all the relevant processes (wred, dcd) are no longer running.

Then enabling Adaptive QoS only, while AiProtection is still disabled results in all the processes coming back. So whatever dcd is tracking/sending/retrieving happens with any Trend-powered service enabled.

A fun exercise in lieu of my real day job...Sorry boss.