Linksys Routers Targeted

Tuesday, February 18, 2014 @ 05:02 PM gHale

A vulnerability in Linksys WiFi routers is under attack in an effort to infect the devices with “TheMoon” worm, said SANS senior instructor and ISC researcher Johannes Ullrich.

His and his colleagues’ investigation started after a Wyoming-based ISP said some of its customers have had their Linksys routers and home networks compromised in the last few days.

Attackers Send Alert for Weak Routers
Router Fixed after Holes Found
Mobile Woes: Modems Expose Control Panels
Wireless Camera Allows Remote Attacks

“The routers, once compromised, scan port 80 and 8080 as fast as they can (saturating bandwidth available),” Ullrich said in a post, adding some of the routers may have had their DNS settings modified to point to Google’s DNS server.

“It is not clear which vulnerability is being exploited, but [the ISP administrator] eliminated weak passwords,” he said.

“Linksys is aware of the malware called ‘The Moon’ that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers,” Linksys officials said. “The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the feature turned off by default.”

“Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled it can prevent further vulnerability to their network, by disabling it and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.”

The exploit doesn’t work against Linksys’ E1200 routers with the latest firmware, but E1000 routers are vulnerable, even if they have the latest firmware.

The worm also attempts to download a “second stage” binary, which includes a set of hard-coded netblocks (probably blocks it scans) and likely instructions for contacting C&C servers. Other files also end up downloaded.

Users commenting said a remote command injection vulnerability might be behind the attacks. Also, that the routers’ DNS settings end up modified to assist in MitM attacks, ultimately leading to financial theft.

Much is yet unknown about the situation, it might be a good idea to update your router’s firmware and switch off its remote administration capacity.

Leave a Reply

You must be logged in to post a comment.