Fixes in the works for Moon-struck Linksys routers

Feb 18, 2014 by Nancy Owano weblog

(Phys.org) —Self-replicating malware has struck some older Linksys routers and Linksys has acknowledged awareness of the malware, called "TheMoon." They plan to make firmware fixes for all affected products available "Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks," according to a company statement. Only those routers with Remote Management Access enabled within the administrative settings are vulnerable. Ars Technica characterized the attack as one that infects home and small-office wireless routers from Linksys with self-replicating malware, likely by exploiting a code-execution vulnerability in the firmware.

As self-replicating , TheMoon takes advantage of the remote access feature. The attacker can grab access to the admin panel.

"Linksys ships these products with the Remote Management Access feature turned off by default," noted the company statement, which also said that the attack involves older E and N routers.

The official statement read: "Linksys is aware of the malware called "The Moon" that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers."

The statement noted that the "exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks."

Linksys also has a page up that explains, step by step, how to avoid getting TheMoon malware, and describes how it behaves: "The Moon malware bypasses authentication on the router by logging in without actually knowing the admin credentials. Once infected, the router starts flooding the network with ports 80 and 8080 outbound traffic, resulting in heavy data activity. This can be manifested as having unusually slow Internet connectivity on all devices."

Earlier on, the SANS Institute had spotted the worm. SANS is a source for information security training and certification, and operates an Internet early warning system, the Internet Storm Center (ISC). The ISC issued an alert on February 12 about a suspected exploit in some Linksys routers. Johannes B. Ullrich, SANS Technology Institute, wrote in the InfoSec Handlers Diary blog on February 13: "We do not know for sure if there is a command and control channel yet. But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie 'The Moon' which we used as a name for the worm."

Explore further: Target breach linked to global cybercrime, researchers say

More information: isc.sans.edu/diary/Linksys+Wor… we+know+so+far/17633

add to favorites email to friend print save as pdf

Related Stories

Router compromise, rogue remote control? Easy, says ISE

Apr 21, 2013

(Phys.org) —Router hacking is joining the ranks of computer security headaches, where the wireless router becomes the key target for those seeking to trespass into someone else's network. The remote attacker ...

Belkin to buy Linksys router maker from Cisco

Jan 24, 2013

Belkin, a maker of smartphone cases and computing accessories, said Thursday that it is buying the home networking business unit of Cisco, including the Linksys router brand.

Samsung to issue updates in response to printer alert

Nov 29, 2012

(Phys.org)—Samsung has issued a response to CERT's vulnerability advisory about Samsung networked printers but the response may have left printer owners wondering what to do next. Samsung said that it ...

Recommended for you

Sony emails show a studio ripe for hacking

1 hour ago

In the weeks before hackers broke into Sony Pictures Entertainment, the studio suffered significant technology outages it blamed on software flaws and incompetent technical staffers who weren't paying attention, ...

North Korea linked to Sony hacking (Update)

11 hours ago

Federal investigators have now connected the hacking of Sony Pictures Entertainment Inc. to North Korea, a U.S. official said Wednesday, though it remained unclear how the federal government would respond ...

Sites stumble on to malware path with plugin exploit

Dec 16, 2014

The numbers were not pretty. Over 100,000 WordPress websites may have been infected with malware, once again proving that where there is widespread popularity, whether in operating systems or platforms or ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.