"TheMoon" Worm Infecting Linksys Routers

Brittany Vincent

Your Linksys router could be vulnerable

As if worrying about your PC and smartphones weren't enough, now you've got to go on the defensive when it comes to your wireless routers. According to reports from the SANS Institute's Internet Storm Center (ISC) , customers out of a Wyoming ISP have reported compromised Linksys routers. The culprit? Malware known only as "TheMoon," malicious software that first compromises Linksys routers and then scans for other devices that may very well be vulnerable.

The affected models appear to be only E1000 and E1200, but updates at the Internet Storm Center have revealed a more specific list of models that could be vulnerable: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900.

The worm's primary goal is simply spreading, saturating what bandwidth is currently available. The worm will connect to port 8080 to retrieve features and firmware information, then sends exploits to a specific CGI script on the router that does not require authentication. Then a shell script request will launch as the router that's already been infected will scan for other routers it can touch. The worm itself is a 2 MB file, but it has a list of about 670 networks that are tied to cable modems in different countries. If you've got one of these routers, you might want to take special care.

More information can be found at Ullrich's blog at ISC.

Update: Linksys has issued a statement regarding the worm:

“Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks. “

Around the web