Sign in with
Sign up | Sign in

Linksys Routers Getting Infected by "TheMoon" Worm

By - Source: Internet Storm Center | B 15 comments

A representative of an ISP located in Wyoming warned SANS Institute's Internet Storm Center (ISC) on Wednesday that over the last several days, a number of customers have developed compromised Linksys routers. These routers, models E1000 and E1200, were scanning other IP addresses on port 80 and 8080 as fast as they could, thus saturating the available bandwidth.

Then on Thursday, the Internet Storm Center was updated again with a bit more detail, as the ISC researchers managed to capture the malware by using a system that was intentionally left open for an attack. Dubbed as "TheMoon," this worm compromises the Linksys router and then scans for other vulnerable devices. Unfortunately, the list of routers is longer than what was previously reported on Wednesday.

"We are aware of a worm that is spreading among various models of Linksys routers," writes Johannes Ullrich, Ph.D. "We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900."

Ullrich says that first the worm connects to port 8080 to request the "/HNAP1/" URL, which will return an XML formatted fist of the router features and firmware versions. After extracting the router's hardware and firmware versions, the worm will send an exploit to a vulnerable CGI script running on the router.

"The request does not require authentication," Ullrich reports. "The worm sends random 'admin' credentials but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability."

The worm's second request will launch a simple shell script. Once this code runs, the infected router will scan for other victims.

"An infected router will also serve the binary at a random low port for new victims to download. This http server is only opened for a short period of time, and for each target, a new server with a different port is opened,” Ullrich continues.

The worm is about 2 MB in size, and has a list of around 670 different networks that appear to be linked to cable or DSL modem ISPs in various countries. The worm also appears to include strings that point to a command and control channel. Currently, the ISC team doesn't know if there is a command control channel up and running.

For now, all the worm does is spread.

"This may be a 'bot' if there is a functional command and control channel present," Ullrich warns.

UPDATE: Linksys provided the following statement:

“Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers.  The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled.  Linksys ships these products with the Remote Management Access feature turned off by default.  Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware.  Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware.  Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks. “

Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 1 Hide
    nocona_xeon , February 14, 2014 8:52 PM
    Talked with a Linksys rep a few hours ago because I have one of those models. I referenced this Kevin Parrish article and I could tell the rep was looking it up and reading it and then checking with engineering before responding. Apparently, their engineers are working on a solution and "the fix will be ready when it is ready." The lingo the rep used didn't sound all that confident though... Basically, disable the remote management capability and hope for the best for now. Yeeeesh. This problem arises within how many months of Cisco spinning-off Linksys to a different company? I always bought Linksys because the real Cisco stuff was too expensive for the home office but the Linksys stuff was extremely reliable, manageable, secure, etc and what I would have considered "prosumer" grade.
  • 0 Hide
    Darkk , February 14, 2014 9:16 PM
    I hate to break it to you but Cisco always treated Linksys as a separate entity. They used the brand name to market Cisco. Now that Belkin owns Linksys hopefully they will get on the ball and get these issues fixed.
  • 0 Hide
    agnickolov , February 14, 2014 10:49 PM
    Disabling remote management should do the trick just fine. If the router is not listening on the port the worm won't be able to connect to it for certain. I don't understand why would anyone want to enable remote administration for their router in the first place -- it's not like you'll be doing it when not at home. I even disable wireless administration from within the network in case someone cracks the WPA password.
  • Display all 15 comments.
  • 3 Hide
    mikeynavy1976 , February 15, 2014 1:21 AM
    Out of curiosity, does this only affect linksys routers with stock firmware? What about the many users that have dd-wrt installed?
  • 1 Hide
    Freakboi_pa , February 15, 2014 5:37 AM
    Personally I don't see any reason to have remote manager set to "on" in the first place.... but... people need to understand that anytime you have a piece of computer hardware connected listening for a connection outside of your own network, router, PC, consoles, you invite trouble in. Playing games, surfing the net, they are understandable, but anything that is in your network just waiting for an outside connection requesting a password for an administrative account, is just asking for trouble, I don't even use the Admin account on my desktop or PC, that's what the "run as" is for. Totally different account and password.
  • 0 Hide
    axefire0 , February 15, 2014 7:45 PM
    Sounds like this is the work of Chinese state-sponsored cyber crminals.
  • 0 Hide
    antilycus , February 16, 2014 10:00 PM
    just DDWRT the router and sleep peacefully
  • 0 Hide
    masmotors , February 16, 2014 10:15 PM
    i have one of these routers i need to turn off the remote thing i guess
  • 0 Hide
    teodoreh , February 16, 2014 11:51 PM
    Screw Linksys, they haven't even upgrades the firmaware of their expensive routers in order to fix the WPA bug.
  • 0 Hide
    cypeq , February 17, 2014 1:22 AM
    Good that I run ovislink open source router with custom os... this is a big hit for linksys.
  • 0 Hide
    timaahhh , February 17, 2014 6:50 AM
    I agree with agnickolov disable remote management. If you have a need to remotely manage a router, create a VPN that is inside your network. That is how big companies do it.
  • 1 Hide
    okibrian , February 17, 2014 9:30 PM
    Out of curiosity, does this only affect linksys routers with stock firmware? What about the many users that have dd-wrt installed?
    It would have no affect on a router with dd-wrt on it.
  • 0 Hide
    bloodroses75 , February 18, 2014 7:26 AM
    Linksys used to be a good company until Cisco got their hands on them. Now they seem to be insecure junk that likes to keep losing their connection every 10 minutes.. I have 2 separate Linksys routers with the exact same issue. Bought a Netgear the third time, haven't had a problem and won't be looking back....
  • 0 Hide
    nocona_xeon , February 22, 2014 6:18 AM
    Aiiieeee I say (from what others have written). My Linksys "experience" began when a D-Link 8-port 1Gbps hub (not a switch) kept dropping connections during lengthy (huge file) transfers. So, I went the "pseudo-manageable switch" way with an SRW2024 (which I could afford). It still works perfectly!! I think I bought it back in 2004 and used the LACP (802.11d?) for even faster connections. I hope they get this solved with their router series...
  • 0 Hide
    waikano , February 24, 2014 12:36 PM
    I know these are unaffected as well, buy my old (ancient) WRT54 just keeps running...Tomato works great on it.