A self-replicating worm is exploiting an authentication bypass vulnerability in Linksys home and small business routers. If you have one of the E-Series routers, you are at risk.
The worm, dubbed "The Moon" because of lunar references in its code, is not doing much at the moment beyond scanning for other vulnerable routers and making copies of itself, researchers wrote on the SANS Institute's Internet Storm Center blog last week. It's unclear at this time what the payload is or whether it's receiving commands from a command-and-control server.
"At this point, we are aware of a worm that is spreading among various models of Linksys routers," Johannes Ullrich, the chief technology officer at SANS, wrote in a blog post. "We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900." There are reports that E300, WAG320N, WAP300N, WES610N, WAP610N, WRT610N, WRT400N, WRT600N, WRT320N, WRT160N, and WRT150N routers are also vulnerable.
"Linksys is aware of the malware called The Moon that has affected select older Linksys E-series Routers and select older Wireless-N access points and routers," Belkin, the company which acquired the Linksys brand from Cisco last year, wrote in a blog post. A firmware fix is planned, but no specific timetable is available at this time.
The Moon attacks
Once on a vulnerable router, The Moon worm connects to port 8080 and uses the Home Network Administration Protocol (HNAP) to identify the make and firmware of the compromised router. It then exploits a CGI script to access the router without authentication and scan for other vulnerable boxes. SANS estimates over 1,000 Linksys routers have already been infected.
A proof-of-concept targeting the vulnerability in the CGI script has already been published.
"There are about 670 different IP ranges that it scans for other routers. They appear to all belong to different cable modem and DSL ISPs. They are distributed somewhat worldwide," Ullrich said.
If you notice heavy outbound scanning in port 80 and 8080 and inbound connections on miscellaneous ports lower than 1024, you may already be infected. If you ping echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" ' nc routerip 8080 and get an XML HNAP output, then you probably have a vulnerable router, Ullrich said.
Defences against The Moon
If you have one of the vulnerable routers, there are a few steps you can take. First of all, routers that are not configured for remote administration are not exposed, Ullrich said. So if you don't need remote administration, turn off Remote Management Access from the administrator interface.
If you do need remote administration, restrict access to the administrative interface by IP address so that the worm can't access the router. You can also enable Filter Anonymous Internet Requests under the Administration-Security tab.
Since the worm spreads via port 80 and 8080, changing the port for the administrator interface will also make it harder for the worm to find the router, Ullrich said.
Home routers are popular attack targets, since they are usually older models and users generally don't stay on top of firmware updates. For example, cybercriminals have recently hacked into home routers and changed DNS settings to intercept information sent to online banking sites, according to a warning earlier this month from the Polish Computer Emergency Response Team (CERT Polska).
Belkin also suggests updating to the latest firmware to plug any other issues that may be unpatched.
Image: Flickr (Nick. K)