Linksys Routers Getting Infected by "TheMoon" Worm

A representative of an ISP located in Wyoming warned SANS Institute's Internet Storm Center (ISC) on Wednesday that over the last several days, a number of customers have developed compromised Linksys routers. These routers, models E1000 and E1200, were scanning other IP addresses on port 80 and 8080 as fast as they could, thus saturating the available bandwidth.

Then on Thursday, the Internet Storm Center was updated again with a bit more detail, as the ISC researchers managed to capture the malware by using a system that was intentionally left open for an attack. Dubbed as "TheMoon," this worm compromises the Linksys router and then scans for other vulnerable devices. Unfortunately, the list of routers is longer than what was previously reported on Wednesday.

"We are aware of a worm that is spreading among various models of Linksys routers," writes Johannes Ullrich, Ph.D. "We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900."

Ullrich says that first the worm connects to port 8080 to request the "/HNAP1/" URL, which will return an XML formatted fist of the router features and firmware versions. After extracting the router's hardware and firmware versions, the worm will send an exploit to a vulnerable CGI script running on the router.

"The request does not require authentication," Ullrich reports. "The worm sends random 'admin' credentials but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability."

The worm's second request will launch a simple shell script. Once this code runs, the infected router will scan for other victims.

"An infected router will also serve the binary at a random low port for new victims to download. This http server is only opened for a short period of time, and for each target, a new server with a different port is opened,” Ullrich continues.

The worm is about 2 MB in size, and has a list of around 670 different networks that appear to be linked to cable or DSL modem ISPs in various countries. The worm also appears to include strings that point to a command and control channel. Currently, the ISC team doesn't know if there is a command control channel up and running.

For now, all the worm does is spread.

"This may be a 'bot' if there is a functional command and control channel present," Ullrich warns.

UPDATE: Linksys provided the following statement:

“Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers.  The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled.  Linksys ships these products with the Remote Management Access feature turned off by default.  Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware.  Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware.  Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks. “

  • nocona_xeon
    Talked with a Linksys rep a few hours ago because I have one of those models. I referenced this Kevin Parrish article and I could tell the rep was looking it up and reading it and then checking with engineering before responding. Apparently, their engineers are working on a solution and "the fix will be ready when it is ready." The lingo the rep used didn't sound all that confident though... Basically, disable the remote management capability and hope for the best for now. Yeeeesh. This problem arises within how many months of Cisco spinning-off Linksys to a different company? I always bought Linksys because the real Cisco stuff was too expensive for the home office but the Linksys stuff was extremely reliable, manageable, secure, etc and what I would have considered "prosumer" grade.
  • Darkk
    I hate to break it to you but Cisco always treated Linksys as a separate entity. They used the brand name to market Cisco. Now that Belkin owns Linksys hopefully they will get on the ball and get these issues fixed.
  • agnickolov
    Disabling remote management should do the trick just fine. If the router is not listening on the port the worm won't be able to connect to it for certain. I don't understand why would anyone want to enable remote administration for their router in the first place -- it's not like you'll be doing it when not at home. I even disable wireless administration from within the network in case someone cracks the WPA password.
  • mikeynavy1976
    Out of curiosity, does this only affect linksys routers with stock firmware? What about the many users that have dd-wrt installed?
  • Freakboi_pa
    Personally I don't see any reason to have remote manager set to "on" in the first place.... but... people need to understand that anytime you have a piece of computer hardware connected listening for a connection outside of your own network, router, PC, consoles, you invite trouble in. Playing games, surfing the net, they are understandable, but anything that is in your network just waiting for an outside connection requesting a password for an administrative account, is just asking for trouble, I don't even use the Admin account on my desktop or PC, that's what the "run as" is for. Totally different account and password.
  • axefire0
    Sounds like this is the work of Chinese state-sponsored cyber crminals.
  • antilycus
    just DDWRT the router and sleep peacefully
  • masmotors
    i have one of these routers i need to turn off the remote thing i guess
  • teodoreh
    Screw Linksys, they haven't even upgrades the firmaware of their expensive routers in order to fix the WPA bug.
  • cypeq
    Good that I run ovislink open source router with custom os... this is a big hit for linksys.