back to article Cyclops Blink malware sets up shop in ASUS routers

Cyclops Blink malware has infected ASUS routers in what Trend Micro says looks like an attempt to turn these compromised devices into command-and-control servers for future attacks. ASUS says it's working on a remediation for Cyclops Blink and will post software updates if necessary. The hardware maker recommends users reset …

  1. HAL-9000
    Windows

    The joy of hardware attacks

    Let's hope all those owners of Asus routers get the message eh ;)

    ... a quick web search reveals none of the big news vendors have picked up on this yet, just some niche technology sites

  2. Sandtitz Silver badge
    FAIL

    Makes you wonder

    "The hardware maker recommends users reset their gateways to factory settings to flush away any configurations added by an intruder, change the login password, make sure remote management access from the WAN is disabled"

    ASUS produces consumer electronics. Why would their plastic routers even have an option for WAN management?

    Also, I remember Buffalo routers (consumer tat as well) having a unique, factory-set password for the admin user. This was in the 00s. Why can't all manufacturers do this?

    FreshTomato and all those WRT firmware projects have immensely better UI, set of features and maintained code than the firmware made by the in-house coders. The manufacturers should fire them all and license one of those 3rd parties to produce a branded firmware.

    1. Gene Cash Silver badge

      Re: Makes you wonder

      They don't even need a unique, factory-set password... just make the goddamned thing insist you change the password at first boot. It's not that hard.

      Edit: and if Linksys or Netgear licenced OpenWRT, I'd buy SO many of them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Makes you wonder

        You can already flash OpenWRT to a large number of Belkin...er...Linksys routers.

        I mean the hardware stinks, but you can flash OpenWRT to it.

      2. mark l 2 Silver badge

        Re: Makes you wonder

        BT homehub 5 routers can be flashed with OpenWRT with a bit of tinkering, and make for a good VSDL router once done. And they are pretty cheap second hand so can be picked up for under £10 on places like ebay.

        1. john.w

          Re: Makes you wonder

          TP-Link is particularly good for OenWRT and if you need some omph the VR2600 will function as a simple NAS, VPN client, ad blocking and torrents, should that be of interest (via that VPN of course)

          1. RAMChYLD

            Re: Makes you wonder

            Yeah, but the units sold in the US are duds. Due to pressure by the idiot Ajit Pai and his FCC, TP-Link routers will be locked down and blocked from custom firmware in their market. All because some idiot turned the power of his up so high it was interfering with the nearby airport's radar system, which caused the FAA to complain.

            https://arstechnica.com/information-technology/2016/03/tp-link-blocks-open-source-router-firmware-to-comply-with-new-fcc-rule/

      3. RAMChYLD

        Re: Makes you wonder

        Thing is, Asus routers also have custom firmware- MerlinWRT, which is apparently an attempt to merge OpenWRT with the Asus default router firmware.

  3. sorry, what?
    Alert

    Eejit guide to detection...?

    I wonder if there is a simple way to discover whether one of these routers is infected? I expect a lot of these appliances sit in low-IT-capability homes and doing a factory reset "just in case" will put off most home users.

    1. David 132 Silver badge
      Happy

      Re: Eejit guide to detection...?

      Well, there's one test.

      If your router will let you click this link: www.putinisamazingandwelovehim.ru, but gives an error on this one: www.isupportukraineandthinkputinisevil.ua, then your router is infected and you should immediately nuke it from orbit, just to be sure.

      But seriously. I agree, good point. A simple test would be a great idea, something that even the non-technical average home user or elderly relative could try.

    2. TeeCee Gold badge
      Facepalm

      Re: Eejit guide to detection...?

      Simple. If the router is sat in a "low-IT-capability home" it's infected.

      Maybe not with this malware but it'll be pwned by somebody by now, just like everything else that allows remote admin by default and which is looked after by a muppet.

      1. RM Myers

        Re: Eejit guide to detection...?

        "...just like everything else that allows remote admin by defaul..."

        At least for these routers, remote administration is turned off by default. The only legitimate reason I could see for turning it on would be the situation where someone tech savvy is maintaining the router for a less savvy owner who lives far away. It that case, hopefully they would know enough to reset the username and password to something very strong.

    3. RAMChYLD

      Re: Eejit guide to detection...?

      +1. Im extremely worried now, having bought an Asus router on an recommendation of a friend (said friend replaced his with a Ubiquity shortly after. I wonder why?) and even worse it's the exact model they mentioned finding the worm on- RT-AC68U with the 384.4 firmware.

      A quick way to find out if I'm infected would be great.

      1. Down not across Silver badge

        Re: Eejit guide to detection...?

        The article says

        According to Trend Micro's Cyclops Blink technical analysis, once the modular malware, written in C, has been injected into the gateway and is running, it sets itself up and renames its process to "[ktest]" presumably to appear as a Linux kernel thread.

        So i suppose one way is to ssh into the router, run ps and see if there is [ktest] listed or not.

        Just tested on a RT-AC86U running AsusWRT-Merlin 384.19 and saw no such process.

  4. Robert Carnegie Silver badge

    May have been asked already?

    Does a Cyclops blink? Or does he wink? He can't do both, surely?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022