What's new

Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

SynoDyne

New Around Here
ASUS RT-AC88U running Merlin 384.18

I've been getting the following warning every hour on the hour.

I couldnt find anything useful on the internet. The only thing I came across was the 2018 router exploit called VPNFilter Malware. Which shouldnt apply in this case as most firmware since then has been patched. So this is either a false-possitve or router is compromised (HOPE NOT!). Anyone have any suggestions or ideas?

Jun 29 23:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 00:01:09 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 01:00:12 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 02:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 03:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 04:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 05:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 06:00:15 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 07:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 08:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 09:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 10:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 11:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 12:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
 
Last edited:
ASUS RT-AC88U running Merlin 384.18

I've been getting the following warning every hour on the hour.

I couldnt find anything useful on the internet. The only thing I came across was the 2018 router exploit called VPNFilter Malware. Which shouldnt apply in this case as most firmware since then has been patched. So this is either a false-possitve or router is compromised (HOPE NOT!). Anyone have any suggestions or ideas?

Jun 29 23:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 00:01:09 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 01:00:12 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 02:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 03:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 04:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 05:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 06:00:15 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 07:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 08:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 09:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 10:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 11:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 12:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
@Adamm
 
I wish sometimes that there was a way for one of the installed scripts to notify users via email on what to do when this happens. I am thinking specifically of those who are not always able to interpret system logs when troubleshooting the router or get to them in a timely manner to take swift action. It would also be nice if such alert system would be maintained in a way that new alerts could be added to it from time to time as new malwares were discovered. I think AiProtection has an email feature but I have never been able to tell if it can be used of this purpose or if it works well for that matter.


Sent from my iPhone using Tapatalk
 
Great that it now exposes the issue, but it just leads to a dead-end about what to do about it since the malware doesn’t even have a name (as far as we know). The best course of action will be to reset to factory defaults, reflash the firmware and secure the WAN perimeter.

Reading through some of the links you all were kind enough to post it seems the purpose of the malware is to prevent AiProtect updates. I'm assuming no one knows the full extent and purpose of this malware?

What a nice thing to come to after coming off of a 72h on-call rotation at work. I dont think I have the energy or mental capacity to go through factory reset and reconfiguration tonight.

If anyone wants any specific captures or log from the router for forensics let me know before I nuke it tomorrow morning.
 
Last edited:
Reading through some of the links you all were kind enough to post it seems the purpose of the malware is to prevent AiProtect updates. I'm assuming no one knows the full extent and purpose of this malware?

What a nice thing to come to after coming off of a 72h on-call rotation at work. I dont think I have the energy or mental capacity to go through factory reset and reconfiguration tonight.

If anyone wants any specific captures or log from the router for forensics let me know before I nuke it tomorrow morning.
I think it would be useful to run iptables-save to see if this malware opened any unexpected firewall ports. On the Administration / System tab, make sure HTTP and SSH are open to the LAN only.

The "good" news is that it doesn't mean this just happened. It just means that Skynet was only recently updated to detect this problem. So you've probably been living with it for a while (check when your Trend signatures last updated on the Firmware page).
 
I think it would be useful to run iptables-save to see if this malware opened any unexpected firewall ports. On the Administration / System tab, make sure HTTP and SSH are open to the LAN only.

The "good" news is that it doesn't mean this just happened. It just means that Skynet was only recently updated to detect this problem. So you've probably been living with it for a while (check when your Trend signatures last updated on the Firmware page).

Not sure how long I may have been living with this "thing".

I always had SSH / HTTPS enabled for 'LAN Only' and WAN access disabled. I attached info requested. I only removed my ISP IP form the log.
 

Attachments

  • RT-AC88U - Firmware.png
    RT-AC88U - Firmware.png
    129 KB · Views: 227
  • RT-AC88U - System1.png
    RT-AC88U - System1.png
    338.5 KB · Views: 267
  • RT-AC88U - System2.png
    RT-AC88U - System2.png
    43.6 KB · Views: 217
  • ip-tables.txt
    5.7 KB · Views: 120
Not sure how long I may have been living with this "thing".

I always had SSH / HTTPS enabled for 'LAN Only' and WAN access disabled. I attached info requested. I only removed my ISP IP form the log.
Since we don't really know what this thing is or was, it's still safest to wipe the router. I didn't see anything too unusual. Just make sure all your port forwards are what you expect them to be.
 
Not sure how long I may have been living with this "thing".

I always had SSH / HTTPS enabled for 'LAN Only' and WAN access disabled. I attached info requested. I only removed my ISP IP form the log.

Also may want to consider changing the port numbers for both HTTP and HTTPS to different numbers other than the usual 80 and 8443 that have higher potential for being scanned by malicious bots. You could try different combinations like 31256 and 56345, for example.

And you could do the same with the SSH port number too.


Sent from my iPhone using Tapatalk
 
Since we don't really know what this thing is or was, it's still safest to wipe the router. I didn't see anything too unusual. Just make sure all your port forwards are what you expect them to be.
Thanks for checking!

Yup, all port forwards are accounted for. Will definitely do a hard-reset, reflash firmware, format USB and reconfigure from scratch. It will take a while but better safe than sorry considering how little we know about this threat.
 
Also may want to consider changing the port numbers for both HTTP and HTTPS to different numbers other than the usual 80 and 8443 that have higher potential for being scanned by malicious bots. You could try different combinations like 31256 and 56345, for example.

And you could do the same with the SSH port number too.


Sent from my iPhone using Tapatalk

I can do that, though they are LAN-Only accessible ports.
 
I can do that, though they are LAN-Only accessible ports.

Yes, that is true but an extra layer of security doesn’t hurt especially if you happen to enable WAN access by mistake.


Sent from my iPhone using Tapatalk
 
ASUS RT-AC88U running Merlin 384.18

I've been getting the following warning every hour on the hour.

I couldnt find anything useful on the internet. The only thing I came across was the 2018 router exploit called VPNFilter Malware. Which shouldnt apply in this case as most firmware since then has been patched. So this is either a false-possitve or router is compromised (HOPE NOT!). Anyone have any suggestions or ideas?

Jun 29 23:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 00:01:09 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 01:00:12 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 02:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 03:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 04:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 05:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 06:00:15 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 07:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 08:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 09:00:14 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 10:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 11:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!
Jun 30 12:00:13 RT-AC88U-0530 Skynet: [!] Warning! Router Malware Detected (apps_wget_timeout=3O) - Investigate Immediately!

As dave mentioned, there isn't much we know about this strain of malware beyond an IOC to detect it. The best coarse of action is to wipe everything and start fresh (and don't expose anything to WAN!).

On the bright side, its good to see this feature actually come in handy for someone, hopefully others who were unknowingly compromised will also take notice.
 
I have wiped everything and reloaded. My RT-AC68U is still showing "nvram get apps_wget_timeout = 30"
Even performed a rescue, nvram erase. All resulting the same.
 
I have wiped everything and reloaded. My RT-AC68U is still showing "nvram get apps_wget_timeout = 30"
Even performed a rescue, nvram erase. All resulting the same.

30 is the correct output, 3O is when there is an issue.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top