Linksys Routers Getting Infected by "TheMoon" Worm

A representative of an ISP located in Wyoming warned SANS Institute's Internet Storm Center (ISC) on Wednesday that over the last several days, a number of customers have developed compromised Linksys routers. These routers, models E1000 and E1200, were scanning other IP addresses on port 80 and 8080 as fast as they could, thus saturating the available bandwidth.

Then on Thursday, the Internet Storm Center was updated again with a bit more detail, as the ISC researchers managed to capture the malware by using a system that was intentionally left open for an attack. Dubbed as "TheMoon," this worm compromises the Linksys router and then scans for other vulnerable devices. Unfortunately, the list of routers is longer than what was previously reported on Wednesday.

"We are aware of a worm that is spreading among various models of Linksys routers," writes Johannes Ullrich, Ph.D. "We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900."

Ullrich says that first the worm connects to port 8080 to request the "/HNAP1/" URL, which will return an XML formatted fist of the router features and firmware versions. After extracting the router's hardware and firmware versions, the worm will send an exploit to a vulnerable CGI script running on the router.

"The request does not require authentication," Ullrich reports. "The worm sends random 'admin' credentials but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability."

The worm's second request will launch a simple shell script. Once this code runs, the infected router will scan for other victims.

"An infected router will also serve the binary at a random low port for new victims to download. This http server is only opened for a short period of time, and for each target, a new server with a different port is opened,” Ullrich continues.

The worm is about 2 MB in size, and has a list of around 670 different networks that appear to be linked to cable or DSL modem ISPs in various countries. The worm also appears to include strings that point to a command and control channel. Currently, the ISC team doesn't know if there is a command control channel up and running.

For now, all the worm does is spread.

"This may be a 'bot' if there is a functional command and control channel present," Ullrich warns.

This thread is closed for comments
    Your comment
  • nocona_xeon
    Talked with a Linksys rep a few hours ago because I have one of those models. I referenced this Kevin Parrish article and I could tell the rep was looking it up and reading it and then checking with engineering before responding. Apparently, their engineers are working on a solution and "the fix will be ready when it is ready." The lingo the rep used didn't sound all that confident though... Basically, disable the remote management capability and hope for the best for now. Yeeeesh. This problem arises within how many months of Cisco spinning-off Linksys to a different company? I always bought Linksys because the real Cisco stuff was too expensive for the home office but the Linksys stuff was extremely reliable, manageable, secure, etc and what I would have considered "prosumer" grade.
  • Darkk
    I hate to break it to you but Cisco always treated Linksys as a separate entity. They used the brand name to market Cisco. Now that Belkin owns Linksys hopefully they will get on the ball and get these issues fixed.
  • agnickolov
    Disabling remote management should do the trick just fine. If the router is not listening on the port the worm won't be able to connect to it for certain. I don't understand why would anyone want to enable remote administration for their router in the first place -- it's not like you'll be doing it when not at home. I even disable wireless administration from within the network in case someone cracks the WPA password.