Fixes in the works for Moon-struck Linksys routers

February 18, 2014 by Nancy Owano weblog

( —Self-replicating malware has struck some older Linksys routers and Linksys has acknowledged awareness of the malware, called "TheMoon." They plan to make firmware fixes for all affected products available "Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks," according to a company statement. Only those routers with Remote Management Access enabled within the administrative settings are vulnerable. Ars Technica characterized the attack as one that infects home and small-office wireless routers from Linksys with self-replicating malware, likely by exploiting a code-execution vulnerability in the firmware.

As self-replicating , TheMoon takes advantage of the remote access feature. The attacker can grab access to the admin panel.

"Linksys ships these products with the Remote Management Access feature turned off by default," noted the company statement, which also said that the attack involves older E and N routers.

The official statement read: "Linksys is aware of the malware called "The Moon" that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers."

The statement noted that the "exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks."

Linksys also has a page up that explains, step by step, how to avoid getting TheMoon malware, and describes how it behaves: "The Moon malware bypasses authentication on the router by logging in without actually knowing the admin credentials. Once infected, the router starts flooding the network with ports 80 and 8080 outbound traffic, resulting in heavy data activity. This can be manifested as having unusually slow Internet connectivity on all devices."

Earlier on, the SANS Institute had spotted the worm. SANS is a source for information security training and certification, and operates an Internet early warning system, the Internet Storm Center (ISC). The ISC issued an alert on February 12 about a suspected exploit in some Linksys routers. Johannes B. Ullrich, SANS Technology Institute, wrote in the InfoSec Handlers Diary blog on February 13: "We do not know for sure if there is a command and control channel yet. But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie 'The Moon' which we used as a name for the worm."

Explore further: Samsung to issue updates in response to printer alert

More information:

Related Stories

Samsung to issue updates in response to printer alert

November 29, 2012

(—Samsung has issued a response to CERT's vulnerability advisory about Samsung networked printers but the response may have left printer owners wondering what to do next. Samsung said that it is aware of and has ...

Belkin to buy Linksys router maker from Cisco

January 24, 2013

Belkin, a maker of smartphone cases and computing accessories, said Thursday that it is buying the home networking business unit of Cisco, including the Linksys router brand.

Router compromise, rogue remote control? Easy, says ISE

April 21, 2013

( —Router hacking is joining the ranks of computer security headaches, where the wireless router becomes the key target for those seeking to trespass into someone else's network. The remote attacker can take full ...

Recommended for you

Microsoft describes hard-to-mimic authentication gesture

August 1, 2015

Photos. Messages. Bank account codes. And so much more—sit on a person's mobile device, and the question is, how to secure them without having to depend on lengthy password codes of letters and numbers. Vendors promoting ...

Power grid forecasting tool reduces costly errors

July 30, 2015

Accurately forecasting future electricity needs is tricky, with sudden weather changes and other variables impacting projections minute by minute. Errors can have grave repercussions, from blackouts to high market costs. ...

Netherlands bank customers can get vocal on payments

August 1, 2015

Are some people fed up with remembering and using passwords and PINs to make it though the day? Those who have had enough would prefer to do without them. For mobile tasks that involve banking, though, it is obvious that ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.