TweakTown
Tech content trusted by users in North America and around the world
6,012 Reviews & Articles | 38,783 News Posts
TRENDING NOW: Windows 9 logo teased, with Microsoft's next OS 'coming soon'

"The Moon" worm infecting Linksys home and SMB routers

A self replicating worm that takes advantage of a vulnerable exploit found in the router's firmware and spreading the infection across

| Networking News | Posted: Feb 17, 2014 7:27 pm

A self replicating worm called "TheMoon" is taking advantage of an authentication vulnerability found in Linksys E-Series routers product line-up. This was discovered by SANS Institute's Internet Storm Center who immediately posted a warning when Linksys E1000 and E1200 were found to be scanning IP address ranges on ports 80 and 8080.

 

TweakTown image news/3/5/35485_1_the_moon_worm_infecting_linksys_home_and_smb_routers.jpg

 

The worm infects these routers by exploiting an authentication bypass vulnerability on the firmware. ISC explained that the worm would first connect to port 8080 and if its necessary, it uses a '/HNAP1/' URL. This would prompt an xml formatted list of the router and the firmware details. Once the worm knows that a particular router has that vulnerability, it exploits the script in the firmware after which allows access to such routers without authentication credentials. The worm simply spreads itself and stifles the remaining bandwidth. The worm is a 2MB file and it has a list of about 670 networks from different countries.

 

So far, these are the Linksys E-Serious routers that are known to get affected by TheMoon worm: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900. Linksys did provide a solution in their knowledge on how to prevent TheMoon malware affecting their routers. Linksys Router users simply need to enable 'Filter Anonymous Internet Requests' and power-cycle their router which should clear the cache and remove the malware if the router was already infected.

 

UPDATE: Linksys has issued an official response which has been quoted in full below.

 

"Linksys is aware of the malware called "The Moon" that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks. "

NEWS SOURCES:Maximumpc.com

Related Tags

Further Reading: Read and find more Networking news at our Networking news index page.

Do you get our news RSS feed? Get It!

Got an opinion on this news? Post a comment below!

Latest Tech News Posts

View More News Posts
Check out TweakTown Polls on LockerDome on LockerDome

Forum Activity

View More Forum Posts

Press Releases

View More Press Releases