What's new

News A wide range of routers are under attack by new, unusually sophisticated malware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

All indications are that the current implementation is targeting MIPS little endian devices...

Not to say that can't/won't change...
 
All indications are that the current implementation is targeting MIPS little endian devices...

Not to say that can't/won't change...
Yes thankfully it sound like they are using old/known exploits and nothing new…for now.
 
How can users tell if they have a (vulnerable) MIPS router?
The conclusions that the authors have come to is based on very thin information. They admit this themselves. They only analysed a sample infection from one model of an obscure Chinese router. That router happened to have a MIPS processor. Some of their following statements were assumptions based on observed connections to certain servers. They also contradict themselves by saying that they think they observed infected RT-AC68U routers (based on connections from less than 23 devices), which do not have MIPS processors.


I think the only real way to know if your router is infected is to look at the running processes for anything that shouldn't be there. Given that the Chinese router they analysed was compromised via an old vulnerability it seems less likely that routers with up to date firmware would be susceptible.
 
Monitoring all processes on the router in order to distinguish what should and shouldn't be there is practically impossible for me. Is there any diagnostic script that we could build for this? Like make a list of known "good" processes and compare against it?
 

06/30/2022 Security advisory for ZuoRAT
ZuoRAT is a MIPS file however RT-AC5300, RT-AC68U, RT-AC68P, RT-AC1900P, RT-AC1900 are ARM–based routers. MIPS program cannot run on ARM–based processor.
ASUS strongly recommends that users update the firmware to the latest version which included more security measures to block malware.
To check the latest version, please visit the relevant ASUS support website. Download links are in the below table.
To help owners of these routers take necessary precautions, we compiled a security checklist:
(1) Reset the device to factory default: Login into the web GUI (http://router.asus.com) , go to Administration → Restore/Save/Upload Setting, click the “Initialize all the setting and clear all the data log”, and then click Restore button
(2) Update all devices to the latest firmware.
(3) Ensure default admin password had been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).
 
I feel safe with my Cisco RV340 router as I am sure Cisco is on top of this. We just had a firmware update.
 
I feel safe with my Cisco RV340 router as I am sure Cisco is on top of this.
Not much for them to be on top of, since that specific router uses an ARM CPU.
 
I always say Do not trust your router. There is no way to prevent from it. Unknown vulnerabilities are still shared and traded in Black market. They give you dedicated hacking tools if you pay for the money. Updating firmware? It doesn't help you at all. Aiprotection is useless too.
 
Updating firmware? It doesn't help you at all.
That it incorrect, and people should definitely keep their firmware up to date. Security issues are constantly fixed by firmware upgrades. There is a huge difference between having a router with 10 security holes that are 5+ years old and therefore exploited by every single script kiddy in the wild, and a router that only is affected by one or two recent 0-days exploits that are only used by more "professional" or state-backed hackers with the means to gain access to such zero days exploits, and will typically reserve them for specific targets that are worth risking compromising their precious exploits.

It's like saying people should just stick to Windows XP because "Windows 11 still has security issues anyway, so upgrading does not help at all".
 
I've decided to watch this thread for any updates on the situation. However, it seems for now newer routers with up to date firmware that Aren't MIPS aren't at risk, or high risk.
I got wind of this Trojan through the "Security Now" podcast with Steve Gibson.
 
What's the best way to protect against this?

Is this totally MIPS only and does not infect windows? Im running pfSense and I am 100% ive been hit with something sophisticated!

I think its at ISP level
 
What's the best way to protect against this?

Is this totally MIPS only and does not infect windows? Im running pfSense and I am 100% ive been hit with something sophisticated!

I think its at ISP level
It seems unlikely that it would effect pfSense. But you could ask in the pfSense forums. Running a normal anti-virus scan on your Windows PC should identify if it is infected.
 
As a sidenote, I read somewhere here on the forum that most router malware gets stored and runs in memory. A simple router-reboot removes the malware completely.

So, enable and set your weekly reboot-schedule fellas :) It can’t hurt.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top