Add additional heuristics

scan.sh

@@ -2,7 +2,7 @@
 # ==============================================================================
 # NCSC-NL Router Malware Detection Script for ASUS routers
 # ==============================================================================
-VERSION=1
+VERSION=2
 THISFILE=$0
 LAUNCHER=$1
 
@@ -18,11 +18,11 @@ wlog() {
 
 # Heuristics
 processes="alogin|microso|\.nttpd|\.nttpd-z|\.sox|asi\.sh"
-filenames="/jffs/\.bin/ntpclient|\.nttpd|\.nttpd-z|\.tst|\.tst\.out|\.nttpd\.pid|\.sox|microso|alogin"
+filenames="/jffs/\.bin/ntpclient|\.nttpd|\.nttpd-z|\.tst|\.tst\.out|\.nttpd\.pid|\.sox|microso|alogin|/jffs/checksumm"
 search_paths="/tmp|/jffs"
-nvram_entries="env_path=/jffs/\.bin|3deCSCIoaQ|NIwZI3pvmJ|as_e4DtOMgfOorTPVnvSXm1D"
-suspicious_strings="8ewMqdWf9K|3deCSCIoaQ|NIwZI3pvmJ|Klq1BtftKC|gSqf7pcEQQ|asi\.sh|31\.170\.22\.195|asi\.ok|asi\.ko|1-arm-le-t|1-mips-le-t|e4DtOMgfOorTPVnvSXm1D|downl_crt.sh"
-hversion=1
+nvram_entries="env_path=/jffs/\.bin|3deCSCIoaQ|NIwZI3pvmJ|as_e4DtOMgfOorTPVnvSXm1D|/bin/sh /jffs/etc/profile"
+suspicious_strings="8ewMqdWf9K|3deCSCIoaQ|NIwZI3pvmJ|Klq1BtftKC|gSqf7pcEQQ|asi\.sh|31\.170\.22\.195|asi\.ok|asi\.ko|1-arm-le-t|1-mips-le-t|e4DtOMgfOorTPVnvSXm1D|downl_crt.sh|AoA6z1AP0V"
+hversion=2
 
 wlog "=== Router Malware Detectie Script ==="
 wlog "Uw ASUSWRT-router is gecontroleerd op tekenen van malware door actieve processen, tijdelijke bestanden en instellingen te onderzoeken."
@@ -73,7 +73,7 @@ echo "$search_paths" | tr '|' '\n' | while read -r dir; do
 done
 
 wlog ""
-wlog "=== Checking NVAM entries ==="
+wlog "=== Checking NVRAM entries ==="
 nvram show 2>/dev/null | grep -i -E "$nvram_entries" | while read -r keyval; do
     wlog "! Suspicious NVRAM entry detected: $keyval"
 done
@@ -108,4 +108,4 @@ wlog "=== Scan Completed ==="
 wlog ""
 
 sync
-umount "$USB_MOUNT_POINT"
+umount "$USB_MOUNT_POINT"