I have a store bought consumer router connected to my ISP’s router which is in bridge mode, and it’s one of the few remaining proprietary mystery boxes in my network that I don’t know how to audit. I recently made a post about whether I should switch to PFsense, and this was one of my motivations (though I forgot to mention it in that post).
Is there an effective way to check whether my router is part of a Mirai botnet or some other malware that scanned the internet and found some vulnerability in my router? As far as I know, once infected, things like updating the firmware or pressing the reset button aren’t guaranteed to remove it because it can just take control of those processes and persist. In my specific configuration, can malware from the internet even see my main router or just the ISP router it’s connected to?
In my threat model, I’m most concerned about my local traffic to and from my server being exfiltrated by some cybercrime group as a lot of it is HTTP or HTTP proxy data. Not so much general internet bound traffic which is usually HTTPS or VPN. Obviously I don’t want to be “participating” in botnet attacks or other cybercrime infrastructure either.
I’m not familiar with how malware like that masks but you can pretty much find any traffic with a tool like WireShark. It’s just a matter of finding out how processes recreate themselves once killed.
If something lives in the storage of your router, specifically, I’d see about formatting the storage and flashing new firmware. As you stated, that may not solve anything.
Regardless of how they enter and what is installed where, once it’s inside your home network it can pretty much access anything. If you wanna be fully secure you’d need a firewall and just block any traffic you don’t specifically whitelist. As you can imagine, this is cumbersome.
Are you worried that something has infected your network devices? Do you have any reason to suspect something? In some countries, ISPs do some passive monitoring on what goes in and out of your home and if they see anything untoward they’ll disable that bridge device and notify you.