Skip to main content

Linksys Routers Targeted by Mysterious New Worm

A malicious new worm has been detected in more than 1,000 Linksys home and small-office routers, according to researchers at the SANS Institute of Bethesda, Md.

Nicknamed "TheMoon" because its code includes HTML pages referring to the 2009 science-fiction movie "Moon," the worm seems to do little more than spread from router to router. However, it does appear to be able to connect to a command-and-control server, from which an attacker could manipulate the compromised systems.

MORE: 12 More Things You Didn't Know Could Be Hacked

"We do not know for sure if there is a command-and-control channel yet," wrote security researcher Johannes Ullrich in a blog post on the SANS Institute's website. "But the worm appears to include strings that point to a command-and-control channel." 

The good news is that a simple router reboot will get rid of the worm, and turning off any remote-administration feature in your router's settings will prevent the worm from being able to attack in the first place. Many routers have remote administration activated by default.

So far, only Linksys' "E" product line, which includes the E900, E2000, E3200 and E4200 models, has been shown to be affected. Devices that have upgraded to the latest firmware, 2.0.06, should be safe, but some earlier models whose support has expired, such as the E1000, can't get that upgrade.

The worm works by remotely calling a router's Home Network Administration Protocol, or HNAP. It then uses a known vulnerability in the router's Common Gateway Interface (CGI) script to gain administrative control.

Strangely, TheMoon also resets some routers to use Google's DNS (domain name system) servers at Internet Protocol addresses and The reason for this is unclear.

Once the worm infects a router, it scans the Internet for other Linksys routers to infect. Its main targets appear to be routers connected to major cable or DSL Internet service providers such as the Comcast, Cox, RCN, Charter and Time Warner Cable's Roadrunner.

For the technically minded, scanning for TheMoon is easy. The two best indicators, according to Ullrich, are heavy outbound scanning on ports 80 and 8080 and inbound connection attempts to miscellaneous ports under 1024.

If you see something like that, you should reboot your router and try to upgrade it to the latest Linksys firmware. 

Update: Linksys has issued a statement about the breach: "The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default." The company also promises a firmware update to prevent the worm gaining access to its routers even when the feature is enabled,  and says they'll post the update to their website in the next few weeks.

Second update: A group of Reddit users were able to identify the specific CGI script that TheMoon uses to enter Linksys routers. An exploit writer who goes by the online name Rew then published a proof-of-concept exploit. "I was hoping this would stay under-wraps until a firmware patch could be released [for the vulnerability], but it appears the cat is out of the bag," Rew wrote in the exploit documentation.

There is good news, however: Linksys' director of global communications Karen Sohl confirms that every affected Linksys router will be getting a firmware update to patch this exploit, even models that are no longer for sale and whose support had ended. Those updates will be available on Linksys' website in the coming weeks, Sohl told Tom's Guide.

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.