Fixes in the works for Moon-struck Linksys routers

Feb 18, 2014 by Nancy Owano weblog

( —Self-replicating malware has struck some older Linksys routers and Linksys has acknowledged awareness of the malware, called "TheMoon." They plan to make firmware fixes for all affected products available "Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks," according to a company statement. Only those routers with Remote Management Access enabled within the administrative settings are vulnerable. Ars Technica characterized the attack as one that infects home and small-office wireless routers from Linksys with self-replicating malware, likely by exploiting a code-execution vulnerability in the firmware.

As self-replicating , TheMoon takes advantage of the remote access feature. The attacker can grab access to the admin panel.

"Linksys ships these products with the Remote Management Access feature turned off by default," noted the company statement, which also said that the attack involves older E and N routers.

The official statement read: "Linksys is aware of the malware called "The Moon" that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers."

The statement noted that the "exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks."

Linksys also has a page up that explains, step by step, how to avoid getting TheMoon malware, and describes how it behaves: "The Moon malware bypasses authentication on the router by logging in without actually knowing the admin credentials. Once infected, the router starts flooding the network with ports 80 and 8080 outbound traffic, resulting in heavy data activity. This can be manifested as having unusually slow Internet connectivity on all devices."

Earlier on, the SANS Institute had spotted the worm. SANS is a source for information security training and certification, and operates an Internet early warning system, the Internet Storm Center (ISC). The ISC issued an alert on February 12 about a suspected exploit in some Linksys routers. Johannes B. Ullrich, SANS Technology Institute, wrote in the InfoSec Handlers Diary blog on February 13: "We do not know for sure if there is a command and control channel yet. But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie 'The Moon' which we used as a name for the worm."

Explore further: D-Link to issue router firmware updates for backdoor vulnerability

More information:… we+know+so+far/17633

add to favorites email to friend print save as pdf

Related Stories

Router compromise, rogue remote control? Easy, says ISE

Apr 21, 2013

( —Router hacking is joining the ranks of computer security headaches, where the wireless router becomes the key target for those seeking to trespass into someone else's network. The remote attacker ...

Belkin to buy Linksys router maker from Cisco

Jan 24, 2013

Belkin, a maker of smartphone cases and computing accessories, said Thursday that it is buying the home networking business unit of Cisco, including the Linksys router brand.

Samsung to issue updates in response to printer alert

Nov 29, 2012

(—Samsung has issued a response to CERT's vulnerability advisory about Samsung networked printers but the response may have left printer owners wondering what to do next. Samsung said that it ...

Recommended for you

China blocks 'privacy' search engine DuckDuckGo

Sep 22, 2014

China has begun blocking the privacy-protecting search engine DuckDuckGo, which avoids storing user data or tracking online activity, according to the company and security researchers.

FBI widens probe of naked celebrity photos

Sep 22, 2014

The FBI vowed Monday to widen a probe into the massive hacking of naked celebrity photos if necessary, after new reported leaks including nude shots of Kim Kardashian.

New ZEBRA bracelet strengthens computer security

Sep 22, 2014

In a big step for securing critical information systems, such as medical records in clinical settings, Dartmouth College researchers have created a new approach to computer security that authenticates users ...

CloudFlare tackles lost SSL key risk with Keyless SSL

Sep 19, 2014

Organizations looking for and concerned about optimal security protection are the targets of a new service announced by San Francisco-based CloudFlare. The offering is called Keyless SSL. CloudFlare explained ...

When does Google hand over your data to governments?

Sep 19, 2014

Governments around the world want to know a lot about who we are and what we're doing online and they want communications companies to help them find it. We don't know a lot about when companies hand over ...

User comments : 0