Menu
What's new
By:
Filters Better Search

News Trend Micro: Cyclops Blink Sets Sights on Asus Routers

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Mister2088 said:
So having said the above, am I OK OR should I do a nuclear reset and manual re-config? If I should reset, would I be ok with restoring from a backup after a nuclear reset?
Click to expand...
Do you have reason to believe your router might be compromised? If yes, then reflashing the firmware is advised on top of doing a factory default reset, without restoring from a settings backup unless you are positive this backup was made while your router was clean, and not from a too old firmware version.

Note that if you never exposed any of the router services to the Internet, then the chances of your router being compromised are very low (could still have happened through a cross site vulnerability, for instance).

At the moment, the only publicly available information is what was published in the Trend Micro write up and Asus's security bulletin. Also note that Trend Micro analyzed one specific variant. Their write up hints at the possibility of other variants existing (potentially targeting other devices than Watchguard Firebox or Asus. routers).

capncybo said:
Couldn't the file which does the actual writing be "renamed"?
Click to expand...
The malware does not reflash the whole firmware in this case. They directly write into the MTD flash device.
 
RMerlin said:
Do you have reason to believe your router might be compromised? If yes, then reflashing the firmware is advised on top of doing a factory default reset, without restoring from a settings backup unless you are positive this backup was made while your router was clean, and not from a too old firmware version.

Note that if you never exposed any of the router services to the Internet, then the chances of your router being compromised are very low (could still have happened through a cross site vulnerability, for instance).

At the moment, the only publicly available information is what was published in the Trend Micro write up and Asus's security bulletin. Also note that Trend Micro analyzed one specific variant. Their write up hints at the possibility of other variants existing (potentially targeting other devices than Watchguard Firebox or Asus. routers).


The malware does not reflash the whole firmware in this case. They directly write into the MTD flash device.
Click to expand...
Thanks for asking Eric,
Actually the routers I maintain all seem okay (so far)?
But (in being honest) all that I've done was look for the ktest process via...

ps |grep ktest

which scared the hell out of me at first by returning...
4014 toddler 5512 D grep ktest

But then I figured out it was just displaying the ps of the grep search... LOL
It's hard to be smart, all of the time ;-)
 
RMerlin said:
386.3_2 is based off 3.0.0.4.386_42095. A fair number of security issues have been resolved since that release, you should upgrade to 386.5.
Click to expand...
Thanks for the prompt reply and info!

Thank you I've upgraded to 386.5, I actually just did it twice. I know that some routers have a backup partition for booting was hoping if I did the upgrade twice it might hit the other side but my understanding on how that works might be way off.

I also checked for the ktest process running and nothing returned other than what I grepped for:


garzjoe@RT-AC68U-AF70:/jffs# ps |grep -i ktest
3988 garzjoe 1464 S grep -i ktest

Fingers crossed I'm good, going to exit router and disable ssh access again.
 
Sorry, don't want to repeat...but does anyone have clarity on these questions?

I'm still confused.

1. Is it ALL Asus routers, or just the Asus AC routers they have listed? For example, what about Asus AX devices?
2. If you have the latest firmware already installed, it states "please disregard?" HUH?
3. How is it delivered? Direct attack on the router, or through compromised Windows devices?
4. If you have the Asus security settings and all 15 are Green checked "I think this is the same across all Asus routers somewhere in the AI protected check list area", I take it the ports and remote acces is denied already?
 
capncybo said:
ps |grep ktest

which scared the hell out of me at first by returning...
Click to expand...
garzjoe said:
3988 garzjoe 1464 S grep -i ktest
Click to expand...
maybe try this :rolleyes:
Code: 
ps | grep ktest | grep -v grep


willyburz said:
Sorry, don't want to repeat...but does anyone have clarity on these questions?

I'm still confused.

1. Is it ALL Asus routers, or just the Asus AC routers they have listed? For example, what about Asus AX devices?
2. If you have the latest firmware already installed, it states "please disregard?" HUH?
3. How is it delivered? Direct attack on the router, or through compromised Windows devices?
4. If you have the Asus security settings and all 15 are Green checked "I think this is the same across all Asus routers somewhere in the AI protected check list area", I take it the ports and remote acces is denied already?
Click to expand...
For the 4th question, I recommend anyone interested this to install Entware's lsof and run the command below to check which programs opened the router's ports.

Code: 
lsof -i | grep LISTEN
 
Last edited:
Yota said:
For the 4th question, I recommend anyone interested this to install Entware's lsof and run the command below to check which programs opened the router's ports.

Code: 
lsof -i | grep LISTEN
Click to expand...

The same information can be obtained (in Merlin's firmware, I don't know about stock) without the need to install Entware by using the router's built-in netstat command:
Code: 
netstat -nlp
N.B. Adding "| grep LISTEN" will mean that you won't see services listening on UDP ports.
 
Yota said:
maybe try this :rolleyes:
Code: 
ps | grep ktest | grep -v grep
Click to expand...

I understand how to exclude using the -v option (invert match) using grep. I was just stating that the only thing returned was what I searched for (expected behavior based on the exact command used).
 
ColinTaylor said:
The same information can be obtained (in Merlin's firmware, I don't know about stock) without the need to install Entware by using the router's built-in netstat command:
Code: 
netstat -nlp
N.B. Adding "| grep LISTEN" will mean that you won't see services listening on UDP ports.
Click to expand...



Looks like busybox is a real swiss army knife, thanks for telling me this, I really didn't know there was such a good tool out there.
 
ColinTaylor said:
The same information can be obtained (in Merlin's firmware, I don't know about stock) without the need to install Entware by using the router's built-in netstat command:
Code: 
netstat -nlp
N.B. Adding "| grep LISTEN" will mean that you won't see services listening on UDP ports.
Click to expand...

While you all were posting... I was actually just using both methods myself, LOL.
For those who just trust us nerds maybe use:

netstat -tulpn |grep ":636\|:989\|:990\|:994\|:995\|:3269\|:8443"

If just looking for the process...
netstat -tulpn |grep "ktest\|KTEST"
 
Last edited:
capncybo said:
While you all were posting... I was actually just using both methods myself, LOL.
For those who just trust us nerds maybe use:

netstat -tulpn |grep ":636\|:989\|:990\|:994\|:995\|:3269\|:8443"
Click to expand...
Well that's going to panic the uninitiated as port 8443 is the default HTTPS web server port. :D Which I guess is why the hackers were using it.
 
ColinTaylor said:
The same information can be obtained (in Merlin's firmware, I don't know about stock) without the need to install Entware by using the router's built-in netstat command:
Code: 
netstat -nlp
N.B. Adding "| grep LISTEN" will mean that you won't see services listening on UDP ports.
Click to expand...
Great info thank you! I read Trend Micros Appendix document and I pulled all
"known" ports. Then I double checked my router myself.

Code: 
 for i in 636 989 990 992 994 995 3269 8443; do netstat -nlp | less | grep $i; done
 
ColinTaylor said:
Well that's going to panic the uninitiated as port 8443 is the default HTTPS web server port. :D Which I guess is why the hackers were using it.
Click to expand...
Pretty sure port 443 is default for standard https traffic, I think Tomcat uses port 8443 for some cases though.
 
ColinTaylor said:
Well that's going to panic the uninitiated as port 8443 is the default HTTPS web server port. :D Which I guess is why the hackers were using it.
Click to expand...
LOL -sorry Colin my intention was to include an AND operator for "ktest" but I got over excited to post & in the meantime...
I think @garzoe likely posted a better way to check.
Programmer I definitely am not, nor ever will be.
 
Reading about these Cyclops attacks against ASUS routers.
www.zdnet.com

Russian Cyclops Blink botnet launches assault against Asus routers

The only option available might be a return to factory settings for infected routers.
www.zdnet.com www.zdnet.com

ASUS Product Security Advisory | ASUS Global

www.asus.com www.asus.com

With the close relationship between the official/Merlin firmware, what is needed to mitigate this attack?
First, is Merlin verno "386.4" based from Official ASUS verno "3.0.0.4.386"?
Does Merlin 386.5 prevent the weakness to this exploit?

Thanks
 
A quick read of the Asus advisory implies having Remote Management enabled is how the exploit can occur. The average user is not going into Advanced settings to enable Remote Management, I hope.

If you never enable Remote Management, the version of Asus firmware does not matter. This exploit cannot happen.
 
ColinTaylor said:
Asus uses 8443. We're talking about services running on the router, not HTTPS in general.
Click to expand...
My bad, did not know Asus used that port. Also once again thanks for the command earlier. I know netstat I just didn't know or even think to check for netstat being installed before you mentioned it.

Anyway I also saw in the article that the malware adds an entry to the local Firewall rules. It mentioned it deletes and then adds the entries but I don't believe it mentioned that it cleans up after itself and deletes the entries after it's done. Assuming the entry would still be in iptables I did a quick check:

Code: 
 iptables -L

I did not see any entries for the specific known ports on my router. I've yet to try the script they suggested but I might try that next.
 
SwampKracker said:
A quick read of the Asus advisory implies having Remote Management enabled is how the exploit can occur. The average user is not going into Advanced settings to enable Remote Management, I hope.

If you never enable Remote Management, the version of Asus firmware does not matter. This exploit cannot happen.
Click to expand...

The Trend Micro article does not specifically say that the attack vector is via the remote management. My impression is that no one knows the attack vector and that it may be as simple as Cyclops Blink attempting to exploit weak passwords perhaps long with the remote login routine. I find it a bit unnerving that the attack vector is not specifically identified, so hopefully it is typical poor security practices by the device owner.

What's peripherally interesting is TM's statement that a device cannot be disinfected.
 
You must log in or register to reply here.

Similar threads

B
Can a VPN from a desktop client hide activity from Trend Micro on ASUS routers
Replies
8
Views
5K
ColinTaylor
C
GK59
"Privacy issues with Trend Micro software in Asus routers"
Replies
2
Views
8K
AndreiV
A

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,024 (members: 25, guests: 999)
Top