Fixes in the works for Moon-struck Linksys routers

Feb 18, 2014 by Nancy Owano weblog

(Phys.org) —Self-replicating malware has struck some older Linksys routers and Linksys has acknowledged awareness of the malware, called "TheMoon." They plan to make firmware fixes for all affected products available "Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks," according to a company statement. Only those routers with Remote Management Access enabled within the administrative settings are vulnerable. Ars Technica characterized the attack as one that infects home and small-office wireless routers from Linksys with self-replicating malware, likely by exploiting a code-execution vulnerability in the firmware.

As self-replicating , TheMoon takes advantage of the remote access feature. The attacker can grab access to the admin panel.

"Linksys ships these products with the Remote Management Access feature turned off by default," noted the company statement, which also said that the attack involves older E and N routers.

The official statement read: "Linksys is aware of the malware called "The Moon" that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers."

The statement noted that the "exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks."

Linksys also has a page up that explains, step by step, how to avoid getting TheMoon malware, and describes how it behaves: "The Moon malware bypasses authentication on the router by logging in without actually knowing the admin credentials. Once infected, the router starts flooding the network with ports 80 and 8080 outbound traffic, resulting in heavy data activity. This can be manifested as having unusually slow Internet connectivity on all devices."

Earlier on, the SANS Institute had spotted the worm. SANS is a source for information security training and certification, and operates an Internet early warning system, the Internet Storm Center (ISC). The ISC issued an alert on February 12 about a suspected exploit in some Linksys routers. Johannes B. Ullrich, SANS Technology Institute, wrote in the InfoSec Handlers Diary blog on February 13: "We do not know for sure if there is a command and control channel yet. But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie 'The Moon' which we used as a name for the worm."

Explore further: Target breach linked to global cybercrime, researchers say

More information: isc.sans.edu/diary/Linksys+Wor… we+know+so+far/17633

add to favorites email to friend print save as pdf

Related Stories

Router compromise, rogue remote control? Easy, says ISE

Apr 21, 2013

(Phys.org) —Router hacking is joining the ranks of computer security headaches, where the wireless router becomes the key target for those seeking to trespass into someone else's network. The remote attacker ...

Belkin to buy Linksys router maker from Cisco

Jan 24, 2013

Belkin, a maker of smartphone cases and computing accessories, said Thursday that it is buying the home networking business unit of Cisco, including the Linksys router brand.

Samsung to issue updates in response to printer alert

Nov 29, 2012

(Phys.org)—Samsung has issued a response to CERT's vulnerability advisory about Samsung networked printers but the response may have left printer owners wondering what to do next. Samsung said that it ...

Recommended for you

What's causing the recent string of data breaches?

4 hours ago

It's Cyber Security Awareness month, which has me wondering: are we doing all we can to protect our data? To help answer this question, I sat down with Girish Bhat of Wave Systems—an important collaborator of Micron's—to ...

Court: UK spies get bulk access to NSA data

23 hours ago

The British government's insistence that its spies don't use the vast espionage powers of the U.S. National Security Agency to sidestep U.K. restrictions on domestic eavesdropping was called into question by a court document ...

Georgia Tech releases 2015 Emerging Cyber Threats Report

Oct 29, 2014

In its latest Emerging Cyber Threats Report, Georgia Tech warns about loss of privacy; abuse of trust between users and machines; attacks against the mobile ecosystem; rogue insiders; and the increasing involvement of cyberspac ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.