• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

ASUS Routers hit with persistent backdoor - not good!

Bill_Bright

Bill_Bright

Joined
Jul 25, 2006
Messages
14,089 (2.04/day)
Location
Nebraska, USA
System Specs
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality Fractal Design Define R4 case, 2 x FD 140mm fans, CM Hyper 212 EVO HSF
Memory 32GB (4 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Logitech M190
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
www.bleepingcomputer.com

Botnet hacks 9,000+ ASUS routers to add persistent SSH backdoor

Over 9,000 ASUS routers are compromised by a novel botnet dubbed "AyySSHush" that was also observed targeting SOHO routers from Cisco, D-Link, and Linksys.
www.bleepingcomputer.com www.bleepingcomputer.com

Also, Thousands of Asus routers are being hit with stealthy, persistent backdoors

Backdoor giving full administrative control can survive reboots and firmware updates.

Thousands of home and small office routers manufactured by Asus are being infected with a stealthy backdoor... ...in an attack by a nation-state or another well-resourced threat actor, researchers said.
Click to expand...

Original source of discovery and report: GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers

I note BC reports some SOHO routers from CIsco, D-Link and Linksys were also targeted but that is not reported in the GrayNoise report they cite. :confused:

Apparently, ASUS has yet to develop a permanent patch that works. :(
 
MrDweezil said:
Sounds like its already been patched, and if you've been affected prior to the patch its as simple as turning ssh back off?
Click to expand...
You'd have to completely flush the storage, hard reset the router, then flash the new firmware. Anyone who's disabled SSH will be unaffected.
 
MrDweezil said:
I don't think that's true. It sounds like they used other exploits to access the router, and with that access enabled SSH (which is off by default).
Click to expand...
Not from what I read. The CVE(here) indicates the need for SSH to be both enabled and open to public access. If it's not enable and not accessible from the internet the vulnerability can not be exploited remotely.
 
lexluthermiester said:
Blocking port 53282 seems to solve the problem as long as it's caught before an attack.

You'd have to completely flush the storage, hard reset the router, then flash the new firmware. Anyone who's disabled SSH will be unaffected.
Click to expand...
That's what I understand too - but for sure, it must be done before infected. But sadly, blocking ports and checking to see if infected does not seem to me to be something less experienced users can easily do. I have some family and older clients who want nothing to do with their router's administration. They just want it to work.
MrDweezil said:
Sounds like its already been patched, and if you've been affected prior to the patch its as simple as turning ssh back off?
Click to expand...
But there are reports the patch does not work. :(

Arstechnica says,
The only way for router users to determine whether their devices are infected is by checking the SSH settings in the configuration panel. Infected routers will show that the device can be logged in to by SSH over port 53282 using a digital certificate with a truncated key of: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ...

To remove the backdoor, infected users should remove the key and the port setting.
Click to expand...
Fortunately (for me) I have an unaffected Netgear Nighthawk router. But just working through my Netgear's admin menu, I see nothing referring to SSH or how to verify if that truncated key is there. Even blocking ports is not straight forward. That function is found under Blocking Services.

I just have to assume at this point that the good guys in the security industry and Netgear (and other router makers) are on top of this. But when it comes to security issues, I hate to assume. I need to see for myself. Can't do that here. :(
 
Bill_Bright said:
I just have to assume at this point that the good guys in the security industry and Netgear (and other router makers) are on top of this. But when it comes to security issues, I hate to assume.
Click to expand...
Here's a hint, if your router does not have page(s) for adjusting SSH settings, the router does not have that functionality built-in to any degree that would make it vulnerable to exploitation in this way. Any functionality for SSH is just pass-through along the network protocols and as such, can not be used for a back-door into the router.

Make no mistake, I'm not trying to downplay anything, This is a serious problem that needs proper attention and resolution. Instead, I'm only making sure that the particulars of the problem are properly understood.
 
Last edited:
OC-Ghost said:
If you're ok with a bit of tinkering, check out openWRT firmware if your router supports it. cons: not a simple stock interface pros: stable, secure and updated
Click to expand...

I don't typically recommend people going the openwrt or freshtomato route until the router is a bit older. You're almost always better off sticking with stock firmware for routers still actively receiving updates.
 
What are the affected models? Or is it all ASUS Routers?
 
ShiBDiB said:
I don't typically recommend people going the openwrt or freshtomato route until the router is a bit older. You're almost always better off sticking with stock firmware for routers still actively receiving updates.
Click to expand...

Not bad advice for the average user. It's interesting to see some routers ship with openWrt out-of-the-box however.
 
lexluthermiester said:
Here's a hint, if your router does not have page(s) for adjusting SSH settings, the router does not have that functionality built-in to any degree that would make it vulnerable to exploitation in this way. Any functionality for SSH is just pass-through along the network protocols and as such, can not be used for a back-door into the router.
Click to expand...
Yeah, that makes sense. I have to admit, when my last router (a Linksys) suddenly failed, I had to scramble to find something to replace it. I still had, so quickly put in place my ancient, long-retired 802.11g Netgear so I at least had adequate Ethernet.

Anyway, in my haste, I didn't do deep research for features. I didn't want another Linksys and I found the Nighthawk. Liked it's 11n/ac specs so bought it. I have been very happy with it but now, with this ASUS issue, see it is not as full-featured as I might have liked.

Hopefully, next time I'm looking for a new router, I'll have time to research options thoroughly.

sram said:
What are the affected models? Or is it all ASUS Routers?
Click to expand...
Have not seen a complete list. But the following were mentioned:

RT-AC3100, RT-AC3200, and RT-AX55 models.
 
Luckily for me the firmware with the patch was already installed. No sign of compromise. I have the ASUS RT-AX88U.

 
You must log in or register to reply here.
Back
Top