Linksys Is Preparing Firmware Fix to Protect Users Against “TheMoon” Worm

Images from the movie found in TheMoon wormThe SANS Institute’s Internet Storm Center has issued a warning about a worm that targets certain Linksys routers. Dubbed “TheMoon” because it contains images from the movie with the same name, the threat is designed to exploit a vulnerability in the devices in order to spread.

Once it infects a device, the worm gathers information on the targeted router, including hardware and firmware versions. Then, it sends an exploit to a vulnerable CGI script that runs on affected routers.

“The request does not require authentication. The worm sends random ‘admin’ credentials but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability,” Johannes Ullrich, the expert who identified the worm, explained.

“This second request will launch a simple shell script, that will request the actual worm. The worm is about 2MB in size, samples that we captured so far appear pretty much identical but for a random trailer at the end of the binary. The file is an ELF MIPS binary.”

Once this is done, the infected router scans the area for other potential victims. Currently, experts haven’t been able to find a functional C&C channel for TheMoon, but there are signs that the threat might actually be a bot.

A security expert who has developed a proof-of-concept exploit for the vulnerability says that a large number of models are impacted, including E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N, WRT150N.

Belkin, the owner of Linksys, has told the IDG News Service that they’re aware of the existence of TheMoon worm. The company says it’s working on a new firmware to address the vulnerability exploited by the threat.

However, Belkin clarifies that the exploit leveraged by the worm only works if the Remote Management Access feature is enabled. The feature is disabled by default.

Until a permanent fix becomes available, the owners of the aforementioned routers can protect their networks by disabling Remote Management Access.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s