The joy of hardware attacks
Let's hope all those owners of Asus routers get the message eh ;)
... a quick web search reveals none of the big news vendors have picked up on this yet, just some niche technology sites
Cyclops Blink malware has infected ASUS routers in what Trend Micro says looks like an attempt to turn these compromised devices into command-and-control servers for future attacks. ASUS says it's working on a remediation for Cyclops Blink and will post software updates if necessary. The hardware maker recommends users reset …
"The hardware maker recommends users reset their gateways to factory settings to flush away any configurations added by an intruder, change the login password, make sure remote management access from the WAN is disabled"
ASUS produces consumer electronics. Why would their plastic routers even have an option for WAN management?
Also, I remember Buffalo routers (consumer tat as well) having a unique, factory-set password for the admin user. This was in the 00s. Why can't all manufacturers do this?
FreshTomato and all those WRT firmware projects have immensely better UI, set of features and maintained code than the firmware made by the in-house coders. The manufacturers should fire them all and license one of those 3rd parties to produce a branded firmware.
Yeah, but the units sold in the US are duds. Due to pressure by the idiot Ajit Pai and his FCC, TP-Link routers will be locked down and blocked from custom firmware in their market. All because some idiot turned the power of his up so high it was interfering with the nearby airport's radar system, which caused the FAA to complain.
https://arstechnica.com/information-technology/2016/03/tp-link-blocks-open-source-router-firmware-to-comply-with-new-fcc-rule/
Well, there's one test.
If your router will let you click this link: www.putinisamazingandwelovehim.ru, but gives an error on this one: www.isupportukraineandthinkputinisevil.ua, then your router is infected and you should immediately nuke it from orbit, just to be sure.
But seriously. I agree, good point. A simple test would be a great idea, something that even the non-technical average home user or elderly relative could try.
"...just like everything else that allows remote admin by defaul..."
At least for these routers, remote administration is turned off by default. The only legitimate reason I could see for turning it on would be the situation where someone tech savvy is maintaining the router for a less savvy owner who lives far away. It that case, hopefully they would know enough to reset the username and password to something very strong.
+1. Im extremely worried now, having bought an Asus router on an recommendation of a friend (said friend replaced his with a Ubiquity shortly after. I wonder why?) and even worse it's the exact model they mentioned finding the worm on- RT-AC68U with the 384.4 firmware.
A quick way to find out if I'm infected would be great.
The article says
According to Trend Micro's Cyclops Blink technical analysis, once the modular malware, written in C, has been injected into the gateway and is running, it sets itself up and renames its process to "[ktest]" presumably to appear as a Linux kernel thread.
So i suppose one way is to ssh into the router, run ps and see if there is [ktest] listed or not.
Just tested on a RT-AC86U running AsusWRT-Merlin 384.19 and saw no such process.