New Malware targeting Routers

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
Fried Chicken
DD-WRT User


Joined: 12 Jun 2019
Posts: 113

PostPosted: Wed Jun 29, 2022 4:15    Post subject: New Malware targeting Routers Reply with quote
This entire article is worth a read and pertinent to DD-WRT, both in the sense of being directly affected, as well as the networking industry as a whole.

Quote:
An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on Tuesday.

So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus, and DayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.


I can only guess who might have the motivation and sophistication to pull something like this off. Likely Israel, as this reminds me of stuxnet.

Removal seams "easy", although it seems this only needs to temporarily hijack the router to install further malware:
Quote:
Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware. Two of those malware pieces—dubbed CBeacon and GoBeacon—are custom-made, with the first written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.


Quote:
Like most router malware, ZuoRAT can't survive a reboot. Simply restarting an infected device will remove the initial ZuoRAT exploit, consisting of files stored in a temporary directory. To fully recover, however, infected devices should be factory reset. Unfortunately, in the event connected devices have been infected with the other malware, they can't be disinfected so easily.

Source:
https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/

_________________
So you’re a DD-WRT Expert? Figure this out: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1168315
Sponsor
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 1630
Location: All over YOUR webs

PostPosted: Wed Jun 29, 2022 4:56    Post subject: Reply with quote
Those users who are running current DD-WRT builds routinely have little to be concerned here, these attacks are directed at stock firmware or firmwares which haven't been patched.

DD-WRT has nothing in common with any stock firmware, the kernels/libraries and components are all currently developed or custom solutions and if known exploits exist on any and are patched upstream these are updated in DD-WRT pretty quickly.

On the other hand -- stock firmware uses EOL 2.6 kernels /libraries/components routinely, they mostly still use OpenSSL 0.9.8, DD-WRT does not follow any of that nonsense.

And then MIPS only, so anyone with ARM/x86 are yet again excluded.

It's up to users to keep DD-WRT updated, and even then there is no such guarantee it wont be found vulnerable to something or other.

And this isn't the only issue targeting stock firmware's, it is just the latest one to be uncovered, now imagine how big the iceberg really is below the water line, one of this kind was targeting routers (stock firmware) Cyclops Blink , which was and is far more serious than ZuoRAT.

As usual DD-WRT was not affected.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 5180
Location: UK, London, just across the river..

PostPosted: Wed Jun 29, 2022 7:18    Post subject: Reply with quote
+1 for Joker

Not everything you read on "Hackers News" as vulnerability refers to DDWRT firmware...as our developer BS, tends to upgrade/update all binaries and manually fix security flaws as soon as they are discovered... that's why DDWRT is very up-to-date firmware, not like the 'Stock Firmwares' or any other firmware around...not even OpenWRT is patched that quick...as DDWRT is...
Also stock shitty firmwares usually use old linux kernels and god knows how well/often those are compiled and patched...so yea...keep using stock firmware...

Than again nothing will save you, form your bad internet hygiene, and bad habits click here'n click there..or if you become a target...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 49599 WAP
TP-Link WR1043NDv2 -DD-WRT 49599 Gateway,DNS,AP Isolation,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -DD-WRT 49599 Gateway,DNS,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -Gargoyle OS 1.13.0b AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 49626 Gateway,DNS,AD-Block,AP&Net Isolation,VLAN's,Firewall,DoT,Vanilla
Netgear R9000 --DD-WRT 49599 Gateway,DNS,AD-Block,AP Isolation,Firewall,Forced DNS,DoT,2,4Ghz only,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 49626 Gateway,DNS,AD-Block,Firewall,Forced DNS,VLAN's,DoT,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Fried Chicken
DD-WRT User


Joined: 12 Jun 2019
Posts: 113

PostPosted: Thu Jun 30, 2022 20:51    Post subject: Reply with quote
I never said DD-WRT is affected. If nothing else, this is more reason to use DD-WRT, but it's bad juju to think DD-WRT is immune from everything.
_________________
So you’re a DD-WRT Expert? Figure this out: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1168315
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 1630
Location: All over YOUR webs

PostPosted: Thu Jun 30, 2022 21:26    Post subject: Reply with quote
No one said that DD-WRT is immune to everything.

There is no way to guarantee anything is secure, only that as far as 3rd party libraries/components and kernels and these being patched by their respective developers upstream against any reported/know exploits, happens in DD-WRT pretty soon after these are made public.

Now, just because something is patched against known exploits, that does not mean there is no unknown attack surfaces left, that are yet unknown, either because it has not been made public or because it has not been discovered, yet!

What users should be concerned about, is that running patched code is better than not running patched code but there are those who rather stay on ancient builds and rely on unicorns for their defense, their choice, You may as well turn blue in the face shouting about it, these are smarter users, ignorance is bliss after all.

Most of the time a breach happens due to known exploits being abused or because users are victims of social engineering, favoring the later.

Like I said, what you posted is unrelated to DD-WRT as it stands on current build, but if you're running some ancient crap, then its a roll of the dice.

If you really want security, then have no tech, dont go online and go live under a rock. I have my rock picked, so go pick another. Wink

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Fried Chicken
DD-WRT User


Joined: 12 Jun 2019
Posts: 113

PostPosted: Fri Jul 01, 2022 17:31    Post subject: Reply with quote
the-joker wrote:
What users should be concerned about, is that running patched code is better than not running patched code but there are those who rather stay on ancient builds and rely on unicorns for their defense, their choice, You may as well turn blue in the face shouting about it, these are smarter users, ignorance is bliss after all.


I've always wondered about this... if I have some super esoteric setup from god knows when, good luck figuring that out.

Maybe a TempleOS based router.

_________________
So you’re a DD-WRT Expert? Figure this out: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1168315
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 1630
Location: All over YOUR webs

PostPosted: Fri Jul 01, 2022 18:02    Post subject: Reply with quote
Maybe not Wink None will save you. But sure KFC to the rescue.

Nothing to figure out, I understand laziness and unwillingness to upgrade with excuses about some particular setup, but no one to blame should things go wrong and most users would never know if they been had.

And this is how/why these particular attacks thrive. I have no sympathy for Timothy.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
styro1
DD-WRT Novice


Joined: 17 Nov 2019
Posts: 3

PostPosted: Tue Jul 05, 2022 15:10    Post subject: Israel? Seriously? Reply with quote
Stuxnet was most likely a US/Israel gov't project that targeted Iranian centrifuges that were used in the enrichment of uranium to manufacture nuclear weapons.

ZuoRAT ultimately is not targeting the routers themselves but all the devices that are connected to them.

Stuxnet had a very narrow purpose that just got out of control from the creators intent.

ZuoRAT most definitely has a financial motive, a lot of personal and company info on all those devices connected to all those infected routers. I'd say look to Russia maybe even Iran. Definitely not Israel. Israel is concerned about the survival of their nation not pissing even more people off.
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 1630
Location: All over YOUR webs

PostPosted: Tue Jul 05, 2022 16:12    Post subject: Reply with quote
No one will admit to creating/co-creating Stuxnet but why are we talking about that now?

You want to talk about router tergeting malware, like ZuoRAT and Cyclops Blink which the later could take hold of the flash and survive device resets, in essence being living in the infected router forever and ever.

Only stock firmware affected though.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum