Posted: Wed Jun 29, 2022 4:15 Post subject: New Malware targeting Routers
This entire article is worth a read and pertinent to DD-WRT, both in the sense of being directly affected, as well as the networking industry as a whole.
Quote:
An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on Tuesday.
So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus, and DayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.
The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.
I can only guess who might have the motivation and sophistication to pull something like this off. Likely Israel, as this reminds me of stuxnet.
Removal seams "easy", although it seems this only needs to temporarily hijack the router to install further malware:
Quote:
Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware. Two of those malware pieces—dubbed CBeacon and GoBeacon—are custom-made, with the first written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.
Quote:
Like most router malware, ZuoRAT can't survive a reboot. Simply restarting an infected device will remove the initial ZuoRAT exploit, consisting of files stored in a temporary directory. To fully recover, however, infected devices should be factory reset. Unfortunately, in the event connected devices have been infected with the other malware, they can't be disinfected so easily.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Wed Jun 29, 2022 4:56 Post subject:
Those users who are running current DD-WRT builds routinely have little to be concerned here, these attacks are directed at stock firmware or firmwares which haven't been patched.
DD-WRT has nothing in common with any stock firmware, the kernels/libraries and components are all currently developed or custom solutions and if known exploits exist on any and are patched upstream these are updated in DD-WRT pretty quickly.
On the other hand -- stock firmware uses EOL 2.6 kernels /libraries/components routinely, they mostly still use OpenSSL 0.9.8, DD-WRT does not follow any of that nonsense.
And then MIPS only, so anyone with ARM/x86 are yet again excluded.
It's up to users to keep DD-WRT updated, and even then there is no such guarantee it wont be found vulnerable to something or other.
And this isn't the only issue targeting stock firmware's, it is just the latest one to be uncovered, now imagine how big the iceberg really is below the water line, one of this kind was targeting routers (stock firmware) Cyclops Blink , which was and is far more serious than ZuoRAT.
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Wed Jun 29, 2022 7:18 Post subject:
+1 for Joker
Not everything you read on "Hackers News" as vulnerability refers to DDWRT firmware...as our developer BS, tends to upgrade/update all binaries and manually fix security flaws as soon as they are discovered... that's why DDWRT is very up-to-date firmware, not like the 'Stock Firmwares' or any other firmware around...not even OpenWRT is patched that quick...as DDWRT is...
Also stock shitty firmwares usually use old linux kernels and god knows how well/often those are compiled and patched...so yea...keep using stock firmware...
Than again nothing will save you, form your bad internet hygiene, and bad habits click here'n click there..or if you become a target... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I never said DD-WRT is affected. If nothing else, this is more reason to use DD-WRT, but it's bad juju to think DD-WRT is immune from everything. _________________ Google is Spyware
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu Jun 30, 2022 21:26 Post subject:
No one said that DD-WRT is immune to everything.
There is no way to guarantee anything is secure, only that as far as 3rd party libraries/components and kernels and these being patched by their respective developers upstream against any reported/know exploits, happens in DD-WRT pretty soon after these are made public.
Now, just because something is patched against known exploits, that does not mean there is no unknown attack surfaces left, that are yet unknown, either because it has not been made public or because it has not been discovered, yet!
What users should be concerned about, is that running patched code is better than not running patched code but there are those who rather stay on ancient builds and rely on unicorns for their defense, their choice, You may as well turn blue in the face shouting about it, these are smarter users, ignorance is bliss after all.
Most of the time a breach happens due to known exploits being abused or because users are victims of social engineering, favoring the later.
Like I said, what you posted is unrelated to DD-WRT as it stands on current build, but if you're running some ancient crap, then its a roll of the dice.
What users should be concerned about, is that running patched code is better than not running patched code but there are those who rather stay on ancient builds and rely on unicorns for their defense, their choice, You may as well turn blue in the face shouting about it, these are smarter users, ignorance is bliss after all.
I've always wondered about this... if I have some super esoteric setup from god knows when, good luck figuring that out.
Maybe a TempleOS based router. _________________ Google is Spyware
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Fri Jul 01, 2022 18:02 Post subject:
Maybe not None will save you. But sure KFC to the rescue.
Nothing to figure out, I understand laziness and unwillingness to upgrade with excuses about some particular setup, but no one to blame should things go wrong and most users would never know if they been had.
Posted: Tue Jul 05, 2022 15:10 Post subject: Israel? Seriously?
Stuxnet was most likely a US/Israel gov't project that targeted Iranian centrifuges that were used in the enrichment of uranium to manufacture nuclear weapons.
ZuoRAT ultimately is not targeting the routers themselves but all the devices that are connected to them.
Stuxnet had a very narrow purpose that just got out of control from the creators intent.
ZuoRAT most definitely has a financial motive, a lot of personal and company info on all those devices connected to all those infected routers. I'd say look to Russia maybe even Iran. Definitely not Israel. Israel is concerned about the survival of their nation not pissing even more people off.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Tue Jul 05, 2022 16:12 Post subject:
No one will admit to creating/co-creating Stuxnet but why are we talking about that now?
You want to talk about router tergeting malware, like ZuoRAT and Cyclops Blink which the later could take hold of the flash and survive device resets, in essence being living in the infected router forever and ever.