Linksys router users are hit by 'The Moon' worm

  • 14 February 2014
  • 1 reply
  • 1974 views

Userlevel 7
Badge +54
THOSE THAT HAVE Linksys Routers should beware, as they are potentially at risk from a computer worm that is exploiting an authentication bypass vulnerability on the devices' firmware, security researchers at the SANS Institute's Internet Storm Center (ISC) have warned.

The self-replicating programme is affecting Linksys E-series models E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000 and E900, and possibly more depending on firmware, though the ISC does not have a comprehensive list of the Linksys router models that are vulnerable.

"The worm will connect first to port 8080, and if necessary using SSL, to request the "/HNAP1/" URL," ISC explained on a diary post. "This will return an XML formatted list of router features and firmware versions. The worm appears to extract the router hardware version and the firmware revision."

The ISC said that the worm will send an exploit to a vulnerable CGI script running on these routers and that the request does not require authentication.

"The worm sends random 'admin' credentials but they are not checked by the script," the security researchers warned.

There's then a second request, which launches a simple shell script that will request the worm.

"The worm is about 2MB in size, samples that we captured so far appear pretty much identical but for a random trailer at the end of the binary. The file is an ELF MIPS binary," the ISC added.

Once this code runs, the infected router then scans for other victims. ISC said that the worm includes a list of about 670 different networks, all of which appear to be linked to cable or DSL modem ISPs in various countries.

"An infected router will also serve the binary at a random low port for new victims to download. This http server is only opened for a short period of time, and for each target, a new server with a different port is opened," the ISC explained.

The ISC security experts don't know for sure if there is a command and control channel yet, but said the worm appears to include strings that point to a command and control channel.

"The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie 'The Moon' which we used as a name for the worm," the ISC said, adding that the computer worm could turn out to be a bot if there is a functional command and control channel present. µ
 
Source Article

1 reply

Userlevel 7
Badge +54
Technical details about a vulnerability in Linksys routers that’s being exploited by a new worm have been released Sunday along with a proof-of-concept exploit and a larger than earlier expected list of potentially vulnerable device models.

Last week, security researchers from the SANS Institute’s Internet Storm Center identified a self-replicating malware program that exploits an authentication bypass vulnerability to infect Linksys routers. The worm has been named TheMoon.

The initial report from SANS ISC said the vulnerability is located in a CGI script that’s part of the administration interface of multiple Linksys’ E-Series router models. However, the SANS researchers didn’t name the vulnerable CGI script at the time.

On Sunday, a Reddit user identified four CGI scripts that he believed were likely to be vulnerable. An exploit writer, who uses the online alias Rew, later confirmed that at least two of those scripts are vulnerable and published a proof-of-concept exploit.

“I was hoping this would stay under wraps until a firmware patch could be released, but it appears the cat is out of the bag,” Rew wrote in the exploit notes.

The exploit also contains a list of Linksys routers that Rew believes might be vulnerable based on strings extracted from the original TheMoon malware. The list includes not only models from the Linksys E-Series, but also from the Wireless-N product line.

The following models are listed: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N. However, Rew notes that the list might not be accurate or complete.

Linksys owner Belkin confirmed that some Wireless-N routers are also affected, but didn’t name the exact models.
 
Full Article

Reply