Hello,
How can openwrt be checked for something like BotenaGo?
I'm running 21.02.1 and follow the security hardening guidelines.
There's no suspicion. But can virus or malware checks be performed?
Marc
1 Like
From the AT&T link:
Recommended actions
- Maintain your software with the latest security updates.
- Ensure minimal exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.
- Monitor network traffic, outbound port scans, and unreasonable bandwidth usage.
- It isn’t that long ago I was in a discussion in this forum why it is so important to update the kernel so often or update it at all?
- We have a very nice firewall in OpenWRT that actually covers all of the 2^16 bits of ports. I can guarantee you that not many original firmware firewalls do that!
- This is possible with port mirroring with OpenWRT, if you want.
And most of the gigantic DDoS attacks in resent years are bot infected home routers and IoT that sends a couple of packages each in each attack but they are so many devices…the funny thing with these bots is that they actually guard the router from other bots so you will never have more than one.
But to infect a OpenWRT router once installed and operational and without any stupid settings it will be a hard nut to crack only because of point nr 1 and 2.
I would say OpenWRT is probably more of a target for some kind of supply chain attack. Once installed in a router it will be to hard to crack so a malicious code need to be implemented before the build robots do their thing so it is implemented either in the public pgp key or sha-256 checksum.
And even if you would get a unwanted guest in the router it will probably be a pretty short lived guest if you manage and install the reoccurring upgrades of OpenWRT.
But here we get the question about saving settings because saving settings is a nice way for a malicious script to live on from upgrade to upgrade without anyone noticing.
Some on these exploits are LAN client based - the malware runs something in your browser/pc and attempts to hack any exploitable devices from the LAN side, where there's no firewall.
In those cases, the LAN client's the weakest link, not the router/IoT device.
4 Likes
So true, lateral movement in the network is often overlocked of forgotten. That is a reason to isolate clients in different zones and many clients as raspberrypi, linux and windows computers has their own firewalls.
But Linux most often do not have a firewall installed or activated which Windows has.
And normally all traffic is forwarded from LAN to WAN in the openWRT firewall so noting is stopped from reaching the internet once inside.
these are all good points, but a random online scanner is not likely to check thoroughly. Even Symantec's states that they could miss some.
I have no separate zones in lan. I'm assuming Tivo and TV and all devices in the lan are ok. It's a vulnerability, but not really what I'm asking. Ditto with backups.
Good points, for sure, but my original question is: how can one scan or determine if this new Golang malware is on the router?
It's not clear how to check for this or any others. This one is brand new. Most scanners don't even have it in their malware databases.
I've heard ClamAV can run on OpenWRT. Is this the recommended scanner?
The easiest way is probably to run wireshark on the specified ports the malware use according to the post to see if there is some traffic.
I don’t know what you mean by “online router scanner” but if that works to begin with your router is seriously compromised anyway since the firewall always will stop that kind of activity.
The TV I would say is a high risk IoT device without any protection that isn’t really updated that often, if ever.
The first reply in this thread suggested an online malware scanner.
I read a little but don't think it's possible for an external scanner to be effective, for the reasons you mentioned.
My conclusion thus far is: there's no scanner utility that says, "all clear, yer guuuud."
It seems this type of utility would be (a) useful and (b) available for OpenWRT.
If there was a meaningful possibility for “anti virus” to routers, why haven’t AT&T made one for their own network equipment?
I haven’t seen anything like that from CERT either.
But I don’t know if it would be meaningful because the DDoS bots they have tried to remove by force get really angry since the bot source have your WAN address they will return to the router within 30seconds since the security hole the bot used to begin with is still there until a security upgrade is installed.
But actually the simplest and cheapest way to have anti malware on routers is to kill power to the router once a day since all malwares lives in ram they dies if power is cut. As long as OpenWRT has secured the source code and build robots.
@flygarn12, well, I can't speak for AT&T. They control their own routers, so I'm sure they have reasons.
This isn't the first time I've heard it's a good idea to reboot daily. A crontab to reboot at 4am local time would be a smart addition, perhaps even for a default installation. Or this tip could be added (and the example crontab) to the OpenWRT security hardening page.
It will never happen as a default install setting since routers are supposed to work 24/7.
Not to mention cron is probably the worst alternative there is to make a reboot because of the cron paradox.
If you actually want to kill every bot living in the memory you need to cut power and leave it without power for at least 30seconds and then turn on power again. For that you need a timer on the power line.
A software reboot doesn’t turn off power to the memory.
Obviously you are missing the persistent malwares, which survive the cold boot. To scan the router for a malware one can do a tar backup of the file system and scan this tar for malware, supposing that the checker has the signatures of the malware you are talking about. Even in linux environment most of the malware is windows based. There is possibility to adapt the Clamav in order to scan on the router directly, but I am not sure whether the router is capable to handle the scanning overhead generated by the scanner. When you do have signatuers of the router malware this should be a simple job.
I wouldn’t say I missed it, but as long as the security hole in the firmware is left all malwares will behave as persistent. They either write them self in the actual firmware or survive online and install themself again 30sec after the cold reboot.
That is why no one really care about reboots for protection. What is needed and really counts is the small security updates that must be installed so the malware's doesn’t get entrance to begin with.
For me it would help very much, if somebody develops a tool like (MongoDB is only example)
but for OpenWrt. That shows potential risks in my setup.
1 Like
@Naftali , indeed, this would be very helpful.
Both would be helpful:
(1) a malware scanner that runs on the OpenWRT device, reporting results
(2) a security profiler that checks for common misconfigurations and reports results
I'm surprised they both do not already exist.