> Would doing a hard reset of the router by holding the reset button of the router actually remove any backdoors/exploits?
This "hard reset" method just resets the nvram configuration to default values. It doesn't touch the kernel/userland portion of flash. Once someone has code running on your router, they can easily update the firmware in place. This means you should at minimum flash your router with a new trusted firmware file from the manufacturer (If you download the new file over HTTP, the malicious code on your router could intercept this download and re-inject itself. The mid/high-end Asus routers should be more than fast enough to proxy all of your HTTP connections.).
Many Asus routers use Broadcom's CFE bootloader. Source is available for CFE version 6.0 (used in the AC66U and newer routers), so custom versions can be created with a slightly lower barrier to entry than binary assembly patches.
It's also fairly trivial to modify existing router firmware images, using tools like binwalk and firmware-mod-kit.
With this in mind, your worst case scenario is:
1. The attacker uploaded a new firmware to your device.
2. It includes a modified bootloader to persist the exploit when you do a firmware upgrade via bootloader.
3. It includes a modified kernel/userland with exploit code, and a feature to hide/preserve the affected areas of flash.
This is a relatively unlikely scenario, but could also be hard to detect without externally dumping your SPI flash chip. It's also hard, but not impossible, for an attacker to exfiltrate information from your network unnoticed at this point. Chances are you don't monitor all of your outbound traffic beyond the router if you're running stock firmware.
Another exfiltration method could involve placing the Broadcom wireless chip into client mode and sending data through a nearby wireless network, or just speaking raw wireless frames which are mostly invisible unless you're specifically monitoring wireless traffic on the same channel. This can be done in a sneaky fashion if your router has dual wireless radios (to do concurrent 2.4ghz and 5ghz) and uses the same SSID for both frequencies. One of the radios can be put into client mode without disrupting connections to the other. It's worth noting you can't run the Broadcom radios I've seen in Asus routers in both client and AP mode (or monitor mode, etc - check the wl command line tool for control) at the same time, which makes this harder.
This "hard reset" method just resets the nvram configuration to default values. It doesn't touch the kernel/userland portion of flash. Once someone has code running on your router, they can easily update the firmware in place. This means you should at minimum flash your router with a new trusted firmware file from the manufacturer (If you download the new file over HTTP, the malicious code on your router could intercept this download and re-inject itself. The mid/high-end Asus routers should be more than fast enough to proxy all of your HTTP connections.).
Many Asus routers use Broadcom's CFE bootloader. Source is available for CFE version 6.0 (used in the AC66U and newer routers), so custom versions can be created with a slightly lower barrier to entry than binary assembly patches.
It's also fairly trivial to modify existing router firmware images, using tools like binwalk and firmware-mod-kit.
With this in mind, your worst case scenario is:
1. The attacker uploaded a new firmware to your device.
2. It includes a modified bootloader to persist the exploit when you do a firmware upgrade via bootloader.
3. It includes a modified kernel/userland with exploit code, and a feature to hide/preserve the affected areas of flash.
This is a relatively unlikely scenario, but could also be hard to detect without externally dumping your SPI flash chip. It's also hard, but not impossible, for an attacker to exfiltrate information from your network unnoticed at this point. Chances are you don't monitor all of your outbound traffic beyond the router if you're running stock firmware.
Another exfiltration method could involve placing the Broadcom wireless chip into client mode and sending data through a nearby wireless network, or just speaking raw wireless frames which are mostly invisible unless you're specifically monitoring wireless traffic on the same channel. This can be done in a sneaky fashion if your router has dual wireless radios (to do concurrent 2.4ghz and 5ghz) and uses the same SSID for both frequencies. One of the radios can be put into client mode without disrupting connections to the other. It's worth noting you can't run the Broadcom radios I've seen in Asus routers in both client and AP mode (or monitor mode, etc - check the wl command line tool for control) at the same time, which makes this harder.