Worm 'TheMoon' infects Linksys routers

A self-replicating program infects Linksys routers by exploiting an authentication bypass vulnerability

A self-replicating program is infecting Linksys routers by exploiting an authentication bypass vulnerability in various models from the vendor's E-Series product line.

Researchers from SANS Institute's Internet Storm Center (ISC) issued an alert Wednesday about incidents where Linksys E1000 and E1200 routers had been compromised and were scanning other IP (Internet Protocol) address ranges on ports 80 and 8080. On Thursday the ISC researchers reported that they managed to capture the malware responsible for the scanning activity in one of their honeypots -- systems intentionally left exposed to be attacked.

The attacks seems to be the result of a worm -- a self-replicating program -- that compromises Linksys routers and then uses those routers to scan for other vulnerable devices.

"At this point, we are aware of a worm that is spreading among various models of Linksys routers," said Johannes Ullrich, the chief technology officer at SANS ISC, in a separate blog post. "We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900."

The worm, which has been dubbed TheMoon because it contains the logo of Lunar Industries, a fictitious company from the 2009 movie "The Moon," begins by requesting a /HNAP1/ URL from devices behind the scanned IP addresses. HNAP -- the Home Network Administration Protocol -- was developed by Cisco and allows identification, configuration and management of networking devices.

The worm sends the HNAP request in order to identify the router's model and firmware version. If it determines that a device is vulnerable, it sends another request to a particular CGI script that allows the execution of local commands on the device.

SANS has not disclosed the name of the CGI script because it contains an authentication bypass vulnerability. "The request does not require authentication," Ullrich said. "The worm sends random 'admin' credentials but they are not checked by the script."

The worm exploits this vulnerability to download and execute a binary file in ELF (Executable and Linkable) format compiled for the MIPS platform. When executed on a new router, this binary begins scanning for new devices to infect. It also opens an HTTP server on a random low-numbered port and uses it to serve a copy of itself to the newly identified targets.

The binary contains a hardcoded list of over 670 IP address ranges that it scans, Ullrich said. "All appear to be linked to cable or DSL modem ISPs in various countries."

It's not clear what the purpose of the malware is other than spreading to additional devices. There are some strings in the binary that suggest the existence of a command-and-control server, which would make the threat a botnet that attackers could control remotely.

Linksys is aware of the vulnerability in some E-Series routers and is working on a fix, said Mike Duin, a spokesman for Linksys owner Belkin, in an email Friday.

Ullrich outlined several mitigation strategies in comments to his blog post. First of all, routers that are not configured for remote administration are not directly exposed to this attack. If a router needs to be administered remotely, restricting access to the administrative interface by IP address will help reduce the risk, Ullrich said. Changing the port of the interface to something other than 80 or 8080, will also prevent this particular attack, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags LinksysSANS InstituteNetworkingsecurityAccess control and authenticationroutersbelkinExploits / vulnerabilitiesmalwarenetworking hardwareintrusion

More about Belkin AustraliaCGICiscoLinksysSANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts