Technology content trusted in North America and globally since 1999
8,554 Reviews & Articles | 66,482 News Posts

"The Moon" worm infecting Linksys home and SMB routers

A self replicating worm that takes advantage of a vulnerable exploit found in the router's firmware and spreading the infection across

By: Roshan Ashraf Shaikh from Feb 17, 2014 @ 13:27 CST

A self replicating worm called "TheMoon" is taking advantage of an authentication vulnerability found in Linksys E-Series routers product line-up. This was discovered by SANS Institute's Internet Storm Center who immediately posted a warning when Linksys E1000 and E1200 were found to be scanning IP address ranges on ports 80 and 8080.


The worm infects these routers by exploiting an authentication bypass vulnerability on the firmware. ISC explained that the worm would first connect to port 8080 and if its necessary, it uses a '/HNAP1/' URL. This would prompt an xml formatted list of the router and the firmware details. Once the worm knows that a particular router has that vulnerability, it exploits the script in the firmware after which allows access to such routers without authentication credentials. The worm simply spreads itself and stifles the remaining bandwidth. The worm is a 2MB file and it has a list of about 670 networks from different countries.

So far, these are the Linksys E-Serious routers that are known to get affected by TheMoon worm: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900. Linksys did provide a solution in their knowledge on how to prevent TheMoon malware affecting their routers. Linksys Router users simply need to enable 'Filter Anonymous Internet Requests' and power-cycle their router which should clear the cache and remove the malware if the router was already infected.

UPDATE: Linksys has issued an official response which has been quoted in full below.

"Linksys is aware of the malware called "The Moon" that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks. "


Related Tags