TheMoon worm now targets ASUS and D-Link routers as well

Oct 20, 2016 22:00 GMT  ·  By

The botnet of home routers created using a worm known as TheMoon is alive and kicking two years after being discovered, even after some router vendors have shipped firmware patches to protect their devices from getting infected.

TheMoon worm made headlines in early 2014 when Johannes B. Ullrich of the SANS Internet Storm Center discovered it spreading to a large number of Linksys router models.

To its credit, Linksys reacted pretty quickly and issued a firmware update to fix the loopholes exploited in the original infection chain. Unfortunately, patching routers is not a trivial task, and many of those devices have remained vulnerable, even after all these years.

TheMoon targeting ASUS routers

But TheMoon's author didn't stop there, and according to a Fortinet report released today, he improved the worm's targeting by adding support for ASUS routers.

Fortinet researchers say that TheMoon has incorporated the CVE-2014-9583 vulnerability in its source code. This vulnerability allows the worm to send malicious UDP packages to vulnerable ASUS routers, bypass authentication procedures, and execute code on the device, taking it over from its rightful owner.

In subsequent exploitation steps, Fortinet says TheMoon will add new firewall rules to ensure the crook can access the device from his desired location and to block other IoT malware from exploiting the same flaw and hijacking the device from his botnet.

Following the immense success of the DDoS attacks on the KrebsOnSecurity blog, crooks are flocking to the IoT landscape, and routers, next to DVRs and CCTP systems, are their favorite targets.

As such, malware authors are very careful when infecting vulnerable IoT devices to secure them from future exploitation and avoid a game of musical chairs with other botnet herders.

TheMoon also targets D-Link routers

But the bad news doesn't end here. Taking a closer look at these "extra" firewall rules that TheMoon adds to infected devices, security researchers also discovered a rule that, when analyzed, they realized is meant to protect D-Link routers from an HNAP SOAPAction-Header Command Execution vulnerability.

While Fortinet hasn't seen any D-Link routers infected with TheMoon, the presence of that firewall rule means the malware author is clearly aiming for devices vulnerable to that flaw.

The size of TheMoon botnet is currently unknown, but taking into account the author's expertise and past experience, the botnet is more likely big, rather than small. Readers can also take a look at an alternative analysis of TheMoon worm from Russian security firm Dr.Web.