A representative of an ISP located in Wyoming warned SANS Institute's Internet Storm Center (ISC) on Wednesday that over the last several days, a number of customers have developed compromised Linksys routers. These routers, models E1000 and E1200, were scanning other IP addresses on port 80 and 8080 as fast as they could, thus saturating the available bandwidth.
Then on Thursday, the Internet Storm Center was updated again with a bit more detail, as the ISC researchers managed to capture the malware by using a system that was intentionally left open for an attack. Dubbed as "TheMoon," this worm compromises the Linksys router and then scans for other vulnerable devices. Unfortunately, the list of routers is longer than what was previously reported on Wednesday.
"We are aware of a worm that is spreading among various models of Linksys routers," writes Johannes Ullrich, Ph.D. "We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900."
Ullrich says that first the worm connects to port 8080 to request the "/HNAP1/" URL, which will return an XML formatted fist of the router features and firmware versions. After extracting the router's hardware and firmware versions, the worm will send an exploit to a vulnerable CGI script running on the router.
"The request does not require authentication," Ullrich reports. "The worm sends random 'admin' credentials but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability."
The worm's second request will launch a simple shell script. Once this code runs, the infected router will scan for other victims.
"An infected router will also serve the binary at a random low port for new victims to download. This http server is only opened for a short period of time, and for each target, a new server with a different port is opened,” Ullrich continues.
The worm is about 2 MB in size, and has a list of around 670 different networks that appear to be linked to cable or DSL modem ISPs in various countries. The worm also appears to include strings that point to a command and control channel. Currently, the ISC team doesn't know if there is a command control channel up and running.
For now, all the worm does is spread.
"This may be a 'bot' if there is a functional command and control channel present," Ullrich warns.