The Hacker News Logo
Subscribe to Newsletter

Linksys Malware 'The Moon' Spreading from Router to Router

Which Wireless Router do you have at your Home or Office? If it’s a Linksys Router you could be in the danger to a new malware that attacks your firmware and replicates itself.

Security researcher Johannes B. Ullrich from the SANS Technology Institute has warned about a self-replicating malware which is exploiting authentication bypass and code-execution vulnerabilities in the Linksys wireless routers.

The Malware named as ‘THE MOON’, scans for other vulnerable devices to spread from router to router and Johannes confirmed that the malicious worm has already infected around 1,000 Linksys E1000, E1200, and E2400 routers.

In order to hack the Router, malware remotely calls the Home Network Administration Protocol (HNAP), allows identification, configuration and management of networking devices.

The Malware first request the model and firmware version of the router using HNAP and if the device founds vulnerable, it sends a CGI script exploit to get the local command execution access to the device.

Linksys's parent company has confirmed that HNAP1 implementation has a security flaw whose exploit code is publicly available on the Internet.

“There are about 670 different IP ranges that it scans for other routers. They appear to all belong to different cable modem and DSL ISPs. They are distributed somewhat worldwide),”

‘To what extent this worm can be dangerous’ is yet a question.
We are still working on analysis what it exactly does. But so far, it looks like all it does is spread (which is why we call it a worm). It may have a ‘call-home’ feature that will report back when it infected new hosts.”

To verify that your device is vulnerable or not, use following command (depending on your OS):
echo [-e] “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080
If you receive an XML HNAP reply, you are likely to be victimized for the worm affecting Linksys devices and some preventive measures are to be taken. Also keep an eye on the logs of port 80 and 8080.

Users are recommended to Disable Remote Administration of their device or limits the administration right to a limited number of trusted IP addresses.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.