The SANS Institute's Internet Storm Center has issued a warning about a worm that targets certain Linksys routers. Dubbed “TheMoon” because it contains images from the movie with the same name, the threat is designed to exploit a vulnerability in the devices in order to spread.
Once it infects a device, the worm gathers information on the targeted router, including hardware and firmware versions. Then, it sends an exploit to a vulnerable CGI script that runs on affected routers.
“The request does not require authentication. The worm sends random ‘admin’ credentials but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability,” Johannes Ullrich, the expert who identified the worm, explained.
“This second request will launch a simple shell script, that will request the actual worm. The worm is about 2MB in size, samples that we captured so far appear pretty much identical but for a random trailer at the end of the binary. The file is an ELF MIPS binary.”
Once this is done, the infected router scans the area for other potential victims. Currently, experts haven’t been able to find a functional C&C channel for TheMoon, but there are signs that the threat might actually be a bot.
A security expert who has developed a proof-of-concept exploit for the vulnerability says that a large number of models are impacted, including E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N, WRT150N.
Belkin, the owner of Linksys, has told the IDG News Service that they’re aware of the existence of TheMoon worm. The company says it’s working on a new firmware to address the vulnerability exploited by the threat.
However, Belkin clarifies that the exploit leveraged by the worm only works if the Remote Management Access feature is enabled. The feature is disabled by default.
Until a permanent fix becomes available, the owners of the aforementioned routers can protect their networks by disabling Remote Management Access.