Menu
What's new
By:
Filters Better Search

How to remove all malware?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

Jerry12

Regular Contributor
As far as we know, the VPNFilter malware doesn't currently put ASUS routers at risk, but the FBI believes it was created by a Russian state-sponsored cyber espionage group, so we can assume attackers are gunning for all SOHO routers.


Q1. How could you remove all malware from a router? I.e. how to fully reset RAM and persistent storage?

Stage 1 adds a worm to the crontab, which survives a reboot. So at a minimum one needs to reset the crontab. A better bet is to reset all code and state in RAM and flash memory. (Is NVRAM a part of flash memory?)

According to ASUS FAQ 1035717 of 2018/05/28, recent firmware has these two options:
  • Restore: Erases the Log / NVRAM
  • Initialize: Erases the Log / NVRAM / Database
Neither of these resets the firmware, so they aren't true "factory reset" operations.

By "Database" does ASUS mean the DHCP configuration and leases?

So would it suffice to Initialize, then re-flash the latest firmware, then reboot?

Can you trust the router's firmware-upgrade procedure to not reinfect the uploaded firmware?


Q2. How can you detect malware in the router?

Checksum the firmware?


Q3. If the attackers exploit unpatched vulnerabilities, what can you do to prevent reinfection?

If standard practices like setting a strong administration password and disabling remote administration aren't sufficient, is there anything you can do other than buy a different model router?
 
The answer to most of your questions is "we don't know". So far I've not seen a single reported case of the malware infecting Asus routers. Until that happens and we get a chance to see it in action it's impossible to know how it works (and whether it's effective or not) and therefore how to detect or block it.

There is plenty of other malware that is known to effect Asus routers and I'm sure there will be more in the future. So as always, try to keep up to date with the latest firmware and don't expose any unnecessary router ports to the internet.

Q1 I believe Initialise also includes the Traffic Analyser history database. So either option should wipe out any malware, including cron entries.
 
Last edited:
Jerry12 said:
Neither of these resets the firmware, so they aren't true "factory reset" operations.
Click to expand...

The only thing Initialize won't remove is the rest of the JFFS partition - it only removes the portion containing Asus's database used by Traffic Analyzer, the Notification Center, etc...

Doing an "rm -rf /jffs/*" over SSH will wipe the whole JFFS partition.

Jerry12 said:
Stage 1 adds a worm to the crontab, which survives a reboot. So at a minimum one needs to reset the crontab. A better bet is to reset all code and state in RAM and flash memory. (Is NVRAM a part of flash memory?)
Click to expand...

Asuswrt does not have any persistent crontab file, therefore there's nothing to reset there.

NVRAM is wiped whenever you do a factory default reset, regardless of the method used (webui initialize/restore, reset button at runtime, wps button at boot time, etc...)
 
Per Ars Technica, Talos found that VPNFilter targets some ASUSWRT devices, and a newly discovered module can inject malicious payloads into traffic as it passes through an infected router. (But yes, the issue is defending against and cleaning any malware.)

> Williams [from Cisco Talos] said he has seen no evidence VPNFilter has infected devices running Tomato, Merlin WRT, and DD-WRT firmware, but that he can't rule out that possibility.

Does Asuswrt-Merlin close additional security holes or change things in a way that would require additional work for attackers?
 
You must log in or register to reply here.

Similar threads

C
How to reset nvram values?
Replies
7
Views
491
Tech9
Tech9
sashabe
Malware connecting to various IPs upon SSH login to router
Replies
5
Views
2K
RMerlin
RMerlin
B
RT-AC1900U Firmware flashing failed - red wan light - cannot connect to router
Replies
15
Views
924
wouterv
W
Viktor Jaep
BACKUPMON BACKUPMON v1.7.2 -Apr 1, 2024- Backup/Restore your Router: JFFS + NVRAM + External USB Drive! CIFS/SMB/NFS! (Now available in AMTM!)
9 10 11
Replies
204
Views
10K
ColinTaylor
C
V
Flashed the wrong AX68U Firmware on your AX86U Mesh Router and Can't Reset? This is how I fixed it
Replies
4
Views
573
Tech9
Tech9

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,067 (members: 28, guests: 1,039)
Top