XIII
Part of the Furniture
Yet another one, or did we already know about this one?
WrtHug, a widespread compromise of ASUS routers (via AiCloud)
- Thread starter XIII
- Start date
- Status
Ripshod
Part of the Furniture
Old news, only now they've given it a name.
This document also states that asus have patched against these vulnerabilities.
The best thing is that "during the WrtHug infection process, devices open a dialog box on connected devices that instructs users to install a self-signed TLS certificate. Asus routers, like those for many other manufacturers, by default require users to accept such certificates in order to encrypt connections between a user and the device when using the web-based administrative interface."
What you really installed after Asus requested reset and to install a self signed cert?
article here:
arstechnica.com
What you really installed after Asus requested reset and to install a self signed cert?
article here:
How to know if your Asus router is one of thousands hacked by China-state hackers
So far, the hackers are laying low, likely for later use.
arstechnica.com
Last edited:
When did they patch it? people may of felt they allowed something questionable through the net by this time and only now realised, like damn I installed that questionable thing before that patch! UH OH; In that case patching a vulnerability is like someone finding a hole in the wall and stopping the next guy coming in. What about the guy who is already in ?!
Looking at https://github.com/JackMerlin/How-to-flash-the-CFE-of-RT-AC86U-and-other-HND-routers , he does a guide on modifying the factory nvram "factory nvram modification is completed" but reading between the lines, in the first link, where Yota says all this, he still researching into it and needs help.
And then when you get said malware and you think you compromised, ASUS say reset your router, well, look at above and THEN this:
-OzzarkEdge
SORRY? "restores fw defaults from CFE" ....... THE HARD RESET OPTION, is restoring from the CFE, which can be edited?
It sounds to me like other bios malware I've read with PC motherboards, there exists a partition where factory defaults live and can be infected, in nvram (cmos) etc. I have read some with malware of the UEFI or CMOS(NVRAM) flash it to factory and still signs of infection.
These state sponsored hackers, well, large scale sophisticated social engineering is actually their number 1 routine, for them the internet comment boxes are all indexed via language learning models. They'll debate you in the Stamp collecting forum if you speak loud enough probably. But yes highly context appropriate websites are in their models to be targeted.
I highly imagine Yota's desire to understand the CFE, is already kitten play for state sponsored hackers. Like LEGO.
So patch's are just placebo if you are already compromised and thinking of utilising firmware flashes to safe yourself I think (why assume it's just a novice hacker?). To be compromised by state groups is quite easy, they are extremely charming people (social engineering) and have many gleaming happy clappy cartoon characters (if you will) running software operations including FOSS, with bots/shills to upvote that stuff to death with real concerned people left in downvoted molasses HENCE PROFESSIONAL SOCIAL ENGINEERING. Hence I believe many could be already fooled.
These vulnerabilities appear like drip drops every now and then. "Yeah, we patched that.". Yeah ok.
Yet, state sponsored hackers have an ocean of vulnerabilities to play with, and rather than waste time playing cat and mouse, they LONG AGO (NSA with Intel ME, no no, other countries can do similar) have headed straight for the firmware recovery partition. So if you've got infected and fell for professional social engineering software works, yes, actually very professional, your hardware is bricked (though never say never, does in the case of PC motherboards secure boot help? for example). This is why the US government will destroy equipment as was one case, but they reverted destroying all equipment because someone thought the malware wasn't actually there, but no, cmos/nvram recovery partition malware is a thing.
Think about it, if you can live lower than ring 0, like ring -1, even at firmware recovery partition level, and then worm yourself to all devices in your home with all their ZERO protected nvrams.... what must you do now? DUMP A TON INTO SOCIAL ENGINEERING, TO GET THAT OUT THERE!
I think these CVE patches are a bit of a joke, and they come late too. However, I will say, if you've been switched on with strict hygiene, keeping with closed source giant company's like Microsoft software only etc. rather than "hobbyist" software, and don't download silly things, the best you've got is keeping only CIA etc., 5 eyes spyware, and the CVE patches infact do keep other countries out before compromised maybe. But it's the other state sponsored hack groups. I don't want more than one country on my machine doing weird stuff as some exercise against the people of my country etc. or whatever their mission is, they could be the ones out to damage or utilise my hardware in some seedy way.
Last edited:
jerry6
Very Senior Member
Microsoft the biggest infection ever
No it's not. The main way of getting malware is downloading things and executing them. So choose wisely, like, really wisely. Configure your windows, like your router. Linux is not safe, it too needs a lot of configuration.
Let's not detract also, NVRAM malware is independent of operating systems and even gadgets. NVRAM malware is not bundled with Microsoft, unless it is NSA (a given).
Open source software is the BIGGEST INFECTION EVER, first of, hackers can read the code clearly with comments too maybe, no worry of disassemblers muddying the waters, they can find many attack vectors in it. First of all, the contributors, who are they? Do we know them in person? No, we do not. They could literally be anyone with any background. Are they out to make vulnerable code? Possibly!? For the tiny % of people who CAN and DO read the open source code before they consume it, do they ALSO have extreme understanding of vulnerabilities? Well, even if they did, did they know them all, of course not. What happens if this rare consumer spoke up? He could get shot down with the hacker favourite "False positive.", will he even be heard by everyone? massively unlikely. Github as a safe assurance folly is a joke, since it became a thing. Just another AWESOME thing to spout for social engineering for rookie/novice/expert/state hackers.
As for closed source software, well, it gets worse when the maker is some dude, even if said guy looks kind of nice.
Now, yes, Microsoft is like swiss cheese like Linux (unless you are a true super user who can configure it in a secure way), apple MAC os? I don't know about that OS but I highly doubt it's Fort Knox and it will not be immune to NVRAM malware which is independent of operating systems anyway - yeah kiss goodbye to even the TV/router.
The still no.1 way to get foreign malware, is downloading things and executing it. Closed source software from a trusted large company with much at stake seems the best bet, not the greatest, but the best bet. A western company I will add is a must, I am from the UK. It makes sense, to only want one intel agency snooping in your PC, I have no choice that NSA/CIA/MI6 is in my PC. Do I want other state hacker / expert hackers / criminal organised gang hackers in my PC too? Hell no.
Last edited:
Tech9
Part of the Furniture
HP laptops in Spain, purchased in Canada. Do you know how to switch from Canadian Security Intelligence Service (CSIS) to Centro Nacional de Inteligencia (CNI) in Windows 11 25H2? I remember drop down menu somewhere, but forgot where it was and I don't want to be deported or worse. Thank you!
NVRAM cannot contain malware. NVRAM is just a storage area that contains variables, with values assigned to them - it does not contain code.
I doubt that.
"nvram malware" didn't take long, as felt so obvious... I'm not even "Part of the Furniture" lol.
And so variables can't be a problem? I will not be swept under the rug.
Running Malware Below the OS - The State of UEFI Firmware Exploitation
In part one of this blog series, we will explain the boot process of modern UEFI machines, as well as some of its built-in protections, and we will…
binarydefense.com
But thank you for pointing out the technicalities of the NVRAM. NVRAM then like I thought, is a problem. Well variables/code, who cares, snooping/malevolent binary is snooping/malevolent binary.
Right, so, let's download open-source projects from people we don't actually know making juicy esoteric vulnerabilities and make matters worse for ourselves! Yeah because when you're knowingly driving a car with dodgy brakes, let's go faster... Great input Mr."tech9". The 5 eyes (Australia, Canada, New Zealand, the United Kingdom, and the United States.) intel community are already baked into our computers... There's no turn off button in Windows for that yet haha as per your comedy. But no, let's not let those other nation spies in... Well ok, China might be in the hardware in some minor (major?) way since they have their hands along the hardware supply chain... But you know, let's not let put on our computers full featured malware packages in for other nations or serious organised criminal gangs...
Thanks for your bludgeoning input... I'm sure you've put people off.
Having a variable set to disable or bypass a security measure is not the same as containing malware. Sure, you can have an nvram value changed to re-enable HTTP access without SSL, or to enable WAN access over SSH, or set the password to "password123". That`s not the same thing as containing malware - the malware is what changed that variable. Your malware itself still needs to be stored somewhere, be it in the bootloader or in a writable partition of the device.
Tech9
Part of the Furniture
I found diplomatic solution! Since me and my wife have exactly the same HP laptops, purchased from the same store at the same time, I will let CNI into mine and leave CSIS on hers. This way both agencies get something and are happy. Now I need to call Guardia Civil and ask in case one of us gets deported what happens to the other. I need to think overnight what answer is good news.
ColinTaylor
Part of the Furniture
You're missing the point. The "NVRAM" in the posts that you originally quoted is the area where the router stores its variables. Your diatribe about malware which resides in a PC's NVRAM, UEFI, BIOS, ring 0, etc. etc. isn't relevant to this threadI doubt that.
"nvram malware" didn't take long, as felt so obvious... I'm not even "Part of the Furniture" lol.
And so variables can't be a problem? I will not be swept under the rug.
Running Malware Below the OS - The State of UEFI Firmware Exploitation
In part one of this blog series, we will explain the boot process of modern UEFI machines, as well as some of its built-in protections, and we will…
But thank you for pointing out the technicalities of the NVRAM. NVRAM then like I thought, is a problem. Well variables/code, who cares, snooping/malevolent binary is snooping/malevolent binary.
EDIT: Removed "or forum" as I mistakenly thought this was posted in the ASUS Wi-Fi sub-forum.
Last edited:
Malware definition:
"software such as a virus on a computer or computer network that the user does not know about or want"
malware noun - Definition, pictures, pronunciation and usage notes | Oxford Advanced American Dictionary at OxfordLearnersDictionaries.com
Definition of malware noun in Oxford Advanced American Dictionary. Meaning, pronunciation, picture, example sentences, grammar, usage notes, synonyms and more.
You don't think this naughty variable is not malware? A variable unknown to the user nor does he want? He wants to be snooped on? To be a potential victim?
Oh but a variable isn't software...
Software definition:
"the instructions that control what a computer does; computer programs:"
Does a variable that instructs the computer to load a malicious bootloader rather than the real one, sound like software? Yeah, it is.
It contains malware. I think for the public that is genuinely concerned and CARES, along with security experts, that variable is malware, at least, part of the malware package/ecosystem/chain. That much, is obvious. Ah ok, so clearing a system of infection means ignoring the NVRAM variable that should not be there? Okkkkkk then. A bit worrying of an outlook.
Yeah that sounds totally malware.
If you want to play semantics on something where people only care for security and so should you... this is odd going over this. I've shown if you want to play semantics, that the variable is malware.
What if the variable came first anyway, like it was put there? Can it not then lead to the malware package? Problem with asking you things, is if I stuck to your word on your first reply, I could of missed the big picture, or the small picture. "Oh yeah NVRAM, yeah whatever, plays no role in malware, ok, goodbye..." Is that what you want or? You want to play semantics? Why? Don't we all just care about security here? Who cares about semantics... but it goes beyond that, it's just damn logic too, I think every security minded man on the planet is going to clean that NVRAM variable.
I had a question above to that, anyway. Regarding the partition way of things with malware packages, I read that BIOS malware, (not a shock) can live there. I also read, that the malware can cocoon itself, in that, if someone was to flash the bios, the malware tells the "flasher" yeah all good here, flash over there - i.e. malware is still there. Or well, it could just worm itself to all your firmware on all the main chips, so whack a mole if you will - the guy below, talks exactly of this worming nature of things to low level malware.
Ok so, NSA/CIA(5 eyes) (CNI pretty much works with them) is already on your machine. So, do you want to let other state hackers on your computer, north korea hackers, chinese state hackers on your computer and serious organised criminal gangs on your computer too? Ah, well, to make damn sure this is the case, download many a software from the web, open-source too if you want (It's safer.... lol) and I'm pretty sure, you're now making damn sure, something could rob your bank details, slow your PC down, blackmail you whatever, crypto mine with your pc, botnet from your pc, use your PC for criminal activity.... Yeah because the canadian intel community and spanish intel community are this rogue, doing those things on your PC. They're not like other bad countries out there with their hacker groups (look it up) or any serious organised criminal gangs. To say it again, widespread malware distribution is mainly a problem for those downloading and executing software, yes, if you are targeted by these big groups, then you could be screwed (depending on how damn good your security is, plays a good role at least).
Please Tech9, you're not funny. Furniture is not funny, so you are living up to the 'Part of the Furniture' title you have.
Last edited:
CMOS is NVRAM, in PC malware, the variables still play a USEFUL role in the malware attack. Why are we pretending the NVRAM does nothing... like come on. Ok, I get it, malware as a core package does not live in NVRAM, if NVRAM truly is just some fancy .ini file. But it(as in yes, we must care to accept) plays a nasty role for some malware. What doesn't help this conversation is people avoiding to say "Yes NVRAM plays a role in malware.". Why does it hurt them so much to say this?
Merlin already said it stores variables in the router. The CMOS does the same. Relevant.
There's worms out there, having a field day hopping between firmware and NVRAMs. Studying firmware of different devices, meh, easy to well paid groups of people. An open source bootkit by a small amount of people can infect 230 motherboards. Imagine country sponsored hack groups. Youch. (in the above video i linked where said project is mentioned)
Last edited:
Tech9
Part of the Furniture
My intel is saying you are very close to crossing the line on an international forum.
ColinTaylor
Part of the Furniture
No, you're conflating the PC world and malware in general with something that is very specific to Asus routers. Just because both use the term "NVRAM" doesn't mean they're using it to describe the same thing. If you want to go on a rant about malware in general or how it relates to PCs then that's fine, open a new thread. But that's not the subject of this thread (WrtHug).
Alright then, I'll call it other countries (i edited it), but you need a vivid real world personal experience account of what I am saying tech9... shame you push me to that.
We have learnt that you are out of line yourself. That my logic holds and therefore your comedy is needless psychological attacks.
Both router and PC use NVRAM to hold variables.
You're telling me NVRAM in routers can't hold variables that help support vulnerabilities for other malware out there? Please....................................................................
ColinTaylor
Part of the Furniture
No, I'm saying none of what you've posted is directly relevant to the subject of this thread (WrtHug). You're just making broad generalisations that "anything can be hacked". Sure, we all know that. But again, not relevant to this thread.
- Status
Similar threads
Latest threads
-
-
RT-AX92U 3.0.0.4.388_23763 Firmware Disables Internet Through WiFi
- Started by esfu
- Replies: 2
-
TUF-BE3600_V2 Dual WAN tab missing in web GUI
- Started by pseu_asus
- Replies: 1
-
-
BE58U vs BE82U vs something else for AIMesh wifi-connected node?
- Started by Polly
- Replies: 12
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!