atrueidiot1
Solid State Member
- Messages
- 9
- Location
- USA
Hi crazyman,
Just responded to router infections topic above.
There was a separate issue that's been plaguing me in resolving my problem though. From a discussion at Stack Exchange, I saw the following:
Why isn't a factory reset sufficient?
A lot of people would recommend just resetting the device, but this approach is flawed.
Resetting is controlled by the OS. If you do the reset from the device's web interface or reset button, nothing guarantees it will actually reset as the entire web interface is now under control of the compromised firmware, so it can very well "fake" a reset by erasing the configuration and rebooting the device, while leaving the malware alone.
Reinstalling the firmware, or the right way to do it
Reinstalling the firmware is the correct solution, but again, where with conventional computers we can just make them start from known good installation media (thus not loading whatever malicious OS may be on the computer), we can't easily do that with embedded devices such as routers.
Reinstalling from the web interface has the same issues as the reset, as malware could either disable the feature, fake it or do it properly and tamper with the new firmware image on the fly to embed itself into it before installing it, so that even though you are indeed running new firmware it'll still have a little present in it.
Reinstalling from the bootloader itself would work assuming you trust the bootloader. It can be tampered as well, but just like with computers the risk is often dismissed due to the complexity of such an attack, as the malicious bootloader would only work on that particular model and revision, making the attack not cost-effective and would require the attackers to invest in buying the same devices for testing (where as a malware binary would merely require a virtual machine for the device's architecture, and would be portable across all devices sharing the same architecture).
There are multiple ways you can access the bootloader and reinstall directly from there, without loading the malicious OS. They vary from manufacturer to manufacturer, and the documentation often doesn't specify it - the manufacturer may have used an off-the-shelf bootloader and didn't even realize it had that recovery feature. I would recommend searching the OpenWRT table of hardware to see if they have an entry for your device. Chances are it describes how to access the bootloader via TFTP or serial and load a firmware image. You can use this procedure to load either the manufacturer's image, or OpenWRT if it supports your device well enough.
Programming the flash chip, but seriously just buy a new device
When everything else fails, and for some reason you can't buy a new device, there is a way to program the flash chip from a trusted machine, completely bypassing the malicious code that could be on there. The correct procedure varies by manufacturer and model, requires special hardware to interface with the chip (often they use an SPI or I2C interface), and you'd have to get the partition layout right as the firmware files provided by the manufacturer often include only a single partition, or are in a custom format that should be decompressed properly before it can be written onto the flash.
http://security.stackexchange.com/questions/138418/how-do-i-deal-with-a-compromised-network-device
