Sign in with
Sign up | Sign in

Linksys Routers Targeted by Mysterious New Worm

By - Source: Tom's Guide US | B 8 comments

A malicious new worm has been detected in more than 1,000 Linksys home and small-office routers, according to researchers at the SANS Institute of Bethesda, Md.

Nicknamed "TheMoon" because its code includes HTML pages referring to the 2009 science-fiction movie "Moon," the worm seems to do little more than spread from router to router. However, it does appear to be able to connect to a command-and-control server, from which an attacker could manipulate the compromised systems.

MORE: 12 More Things You Didn't Know Could Be Hacked

"We do not know for sure if there is a command-and-control channel yet," wrote security researcher Johannes Ullrich in a blog post on the SANS Institute's website. "But the worm appears to include strings that point to a command-and-control channel." 

The good news is that a simple router reboot will get rid of the worm, and turning off any remote-administration feature in your router's settings will prevent the worm from being able to attack in the first place. Many routers have remote administration activated by default.

So far, only Linksys' "E" product line, which includes the E900, E2000, E3200 and E4200 models, has been shown to be affected. Devices that have upgraded to the latest firmware, 2.0.06, should be safe, but some earlier models whose support has expired, such as the E1000, can't get that upgrade.

The worm works by remotely calling a router's Home Network Administration Protocol, or HNAP. It then uses a known vulnerability in the router's Common Gateway Interface (CGI) script to gain administrative control.

Strangely, TheMoon also resets some routers to use Google's DNS (domain name system) servers at Internet Protocol addresses 8.8.8.8 and 8.8.4.4. The reason for this is unclear.

Once the worm infects a router, it scans the Internet for other Linksys routers to infect. Its main targets appear to be routers connected to major cable or DSL Internet service providers such as the Comcast, Cox, RCN, Charter and Time Warner Cable's Roadrunner.

For the technically minded, scanning for TheMoon is easy. The two best indicators, according to Ullrich, are heavy outbound scanning on ports 80 and 8080 and inbound connection attempts to miscellaneous ports under 1024.

If you see something like that, you should reboot your router and try to upgrade it to the latest Linksys firmware. 

Update: Linksys has issued a statement about the breach: "The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default." The company also promises a firmware update to prevent the worm gaining access to its routers even when the feature is enabled,  and says they'll post the update to their website in the next few weeks.

Second update: A group of Reddit users were able to identify the specific CGI script that TheMoon uses to enter Linksys routers. An exploit writer who goes by the online name Rew then published a proof-of-concept exploit. "I was hoping this would stay under-wraps until a firmware patch could be released [for the vulnerability], but it appears the cat is out of the bag," Rew wrote in the exploit documentation.

There is good news, however: Linksys' director of global communications Karen Sohl confirms that every affected Linksys router will be getting a firmware update to patch this exploit, even models that are no longer for sale and whose support had ended. Those updates will be available on Linksys' website in the coming weeks, Sohl told Tom's Guide.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Add your comment Display 8 Comments.
  • 0 Hide
    slimething , February 14, 2014 11:56 AM
    Does it affect an e4200 with dd-wrt firmware?
  • 0 Hide
    c_for , February 14, 2014 3:48 PM
    I'm fairly sure all of those routers are branded cisco. I know my e2000 was released after they rebranded their consumer line to the cisco name.
  • 0 Hide
    alextheblue , February 14, 2014 5:48 PM
    Don't worry, it's just Skynet testing its capabilities.
  • 0 Hide
    digiex , February 14, 2014 6:11 PM
    Do flashing 3rd party firmware (OpenWRT, Tomato, DD-WRT, Gargoyle,etc) makes Linksys safer?
  • 0 Hide
    rajsun22 , February 14, 2014 7:37 PM
    If changing the DNS addresses to 8.8.8.8 is this worm's effect, then it appears that my D-Link 2750U has been affected by that. Last week the connection was totally erratic, and I found the DNS server settings were changed. I dont remember the primary DNS, but the secondary DNS was changed to 8.8.8.8. I thought somebody hacked into my router, so reset the entire system and things were fine after that. Dont know how this thing got into the router!
  • 0 Hide
    axefire0 , February 15, 2014 7:54 PM
    Sounds like this is the work of Chinese state-sponsored cyber crminals.
  • 0 Hide
    axefire0 , February 15, 2014 8:31 PM
    Sounds like this is the work of Chinese state-sponsored cyber crminals.
  • -1 Hide
    shuimnuc , February 16, 2014 5:51 PM
    discount jordan shoes http://www.shoesctv.comNFL cap wholesale http://www.shoesctv.comjordan michael http://www.shoesctv.comcheap NBA Jerseys http://www.shoesctv.comcheap jordan shoes http://www.shoesctv.comjordan store http://www.shoesctv.comAir jordan 13 http://www.shoesctv.comNBA cap wholesale http://www.shoesctv.combest handbags http://www.shoesctv.comjordan release dates http://www.shoesctv.comAir jordan 3 http://www.shoesctv.comcheap jordan http://www.shoesctv.comJordan for cheap http://www.shoesctv.comAir jordan 11 http://www.shoesctv.comcheap NFL Jerseys http://www.shoesctv.comhandbag store http://www.shoesctv.comAir jordan 1 http://www.shoesctv.comhandbag patterns http://www.shoesctv.comcheap NHL Jerseys http://www.shoesctv.comimitation handbags http://www.shoesctv.comreplica rolex http://www.shoesctv.comAir jordan 4 http://www.shoesctv.comNHL cap wholesale http://www.shoesctv.comAir jordan 9 http://www.shoesctv.comAir Max 90 http://www.shoesctv.comair shox http://www.shoesctv.comMLB cap wholesale http://www.shoesctv.comcheap MLB Jerseys http://www.shoesctv.comTop replica watches http://www.shoesctv.comAir jordan 6 http://www.shoesctv.comwholesale from china http://www.shoesctv.comjordan shoes wholesale http://www.shoesctv.comcheap designer handbags http://www.shoesctv.comdesigner handbags wholesale http://www.shoesctv.com
React To This Article

Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter