.....Reply posted to other thread regarding this exploit.
Looking at the initial data I don't think DD-WRT would offer any protection from this exploit. It appears to target the router at the Common Firmware Environment (CFE) level and leverage Busybox to write the “stage-one” code to NVRAM. The CFE loads as part of the boot process DD-WRT so all of this happen before DD-WRT is even running. This is also what gives the exploit reboot persistence. Something not mentioned in most articles. The reboot recommendation does not clear the malware from and infected router. The FBI request to reboot all consumer routers appears to be an effort to track the extent of the "phone home" capability present in the stage-one code. I would think removing the malware would require serial TTL telnet session to locate the CRONTAB call to the exploit stored in NVRAM and manually remove said exploit. I have not been able to locate specifically the hardware vulnerability used to gain access to the router at this level but I have some prime suspects that I will link below along with the sources I have found. Also, the article does not mention other smart devices like Netgear smart switches or range extenders which are built on similar hardware/firmware. This could be a much bigger issue for all.
Rehabilitation, underground utilities, sewer installation and repair
American Sewer and Utilities has consistently demonstrated excellence in the design and construction of a myriad of projects encompassing underground utilities, site development, leach fields, pump stations, landscaping, sanitary sewer, and municipal & residential rehabilitation. Our distinguished team comprises seasoned professionals and skilled artisans, dedicated to providing superior construction consultation and management services
.....Reply posted to other thread regarding this exploit.
Looking at the initial data I don't think DD-WRT would offer any protection from this exploit. It appears to target the router at the Common Firmware Environment (CFE) level and leverage Busybox to write the “stage-one” code to NVRAM. The CFE loads as part of the boot process DD-WRT so all of this happen before DD-WRT is even running. This is also what gives the exploit reboot persistence. Something not mentioned in most articles. The reboot recommendation does not clear the malware from and infected router. The FBI request to reboot all consumer routers appears to be an effort to track the extent of the "phone home" capability present in the stage-one code. I would think removing the malware would require serial TTL telnet session to locate the CRONTAB call to the exploit stored in NVRAM and manually remove said exploit. I have not been able to locate specifically the hardware vulnerability used to gain access to the router at this level but I have some prime suspects that I will link below along with the sources I have found. Also, the article does not mention other smart devices like Netgear smart switches or range extenders which are built on similar hardware/firmware. This could be a much bigger issue for all.
https://blog.talosintelligence.com/2018/05/VPNFilter.html
https://wiki.openwrt.org/toh/netgear/telnet.console