The Inquirer-Home

Linksys router users are hit by 'The Moon' worm

Updated Turning off Remote Management Access and rebooting the router will fix the bug
Fri Feb 14 2014, 16:47
Malware cyber criminal

THOSE THAT HAVE Linksys Routers should beware, as they are potentially at risk from a computer worm that is exploiting an authentication bypass vulnerability on the devices' firmware, security researchers at the SANS Institute's Internet Storm Center (ISC) have warned.

The self-replicating programme is affecting Linksys E-series models E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000 and E900, and possibly more depending on firmware, though the ISC does not have a comprehensive list of the Linksys router models that are vulnerable.

"The worm will connect first to port 8080, and if necessary using SSL, to request the "/HNAP1/" URL," ISC explained on a diary post. "This will return an XML formatted list of router features and firmware versions. The worm appears to extract the router hardware version and the firmware revision."

The ISC said that the worm will send an exploit to a vulnerable CGI script running on these routers and that the request does not require authentication.

"The worm sends random 'admin' credentials but they are not checked by the script," the security researchers warned.

There's then a second request, which launches a simple shell script that will request the worm.

"The worm is about 2MB in size, samples that we captured so far appear pretty much identical but for a random trailer at the end of the binary. The file is an ELF MIPS binary," the ISC added.

Once this code runs, the infected router then scans for other victims. ISC said that the worm includes a list of about 670 different networks, all of which appear to be linked to cable or DSL modem ISPs in various countries.

"An infected router will also serve the binary at a random low port for new victims to download. This http server is only opened for a short period of time, and for each target, a new server with a different port is opened," the ISC explained.

The ISC security experts don't know for sure if there is a command and control channel yet, but said the worm appears to include strings that point to a command and control channel.

"The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie 'The Moon' which we used as a name for the worm," the ISC said, adding that the computer worm could turn out to be a bot if there is a functional command and control channel present.

Belkin, which owns the Linksys brand, has confirmed that it is aware of the worm that has affected older Linksys E-Series routers and Wireless-N access points and routers, and has followed up with a statement.

The statement read, "The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled.

"Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware."

The firm said that customers who have enabled the Remote Management Access feature can prevent further vulnerability of their network by disabling it and rebooting their router to remove the installed malware.

"Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks," the company added. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Existing User
Please fill in the field below to receive your profile link.
Sign-up for the INQBot weekly newsletter
Click here
INQ Poll

Microsoft Windows 10 poll

Which feature of Windows 10 are you most excited about?