"The Moon" worm infecting Linksys home and SMB routers

A self replicating worm that takes advantage of a vulnerable exploit found in the router's firmware and spreading the infection across.

Published
Updated
1 minute & 31 seconds read time

A self replicating worm called "TheMoon" is taking advantage of an authentication vulnerability found in Linksys E-Series routers product line-up. This was discovered by SANS Institute's Internet Storm Center who immediately posted a warning when Linksys E1000 and E1200 were found to be scanning IP address ranges on ports 80 and 8080.

The Moon worm infecting Linksys home and SMB routers | TweakTown.com

The worm infects these routers by exploiting an authentication bypass vulnerability on the firmware. ISC explained that the worm would first connect to port 8080 and if its necessary, it uses a '/HNAP1/' URL. This would prompt an xml formatted list of the router and the firmware details. Once the worm knows that a particular router has that vulnerability, it exploits the script in the firmware after which allows access to such routers without authentication credentials. The worm simply spreads itself and stifles the remaining bandwidth. The worm is a 2MB file and it has a list of about 670 networks from different countries.

So far, these are the Linksys E-Serious routers that are known to get affected by TheMoon worm: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900. Linksys did provide a solution in their knowledge on how to prevent TheMoon malware affecting their routers. Linksys Router users simply need to enable 'Filter Anonymous Internet Requests' and power-cycle their router which should clear the cache and remove the malware if the router was already infected.

UPDATE: Linksys has issued an official response which has been quoted in full below.

"Linksys is aware of the malware called "The Moon" that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks. "

NEWS SOURCE:maximumpc.com

After being a long time PC enthusiast and a former contributor for many Indian based PC and Tech forums, Roshan now joins TweakTown covering tech news and also any developments from India. Like many enthusiasts, with years of being involved in many Indian tech forums and running his own tech site, he's commonly referred by his forum nickname 'The Sorcerer' by many old and new fellow PC enthusiasts, followed by few companies from time to time. He's also the winner of the TweakTown's Computex 2012 Taipei trip. If any free time is left, Roshan prefers to play FPS games.

Newsletter Subscription

Related Tags