MOON, the strange worm spreading on Linksys routers

Pierluigi Paganini February 17, 2014

Security researchers at SANS detected a self-replicating malware (dubbed moon worm) is spreading among a number of different Linksys routers.

Researchers at the SANS Institute discovered a new self-replicating worm that is infecting different Linksys home and small business routers. The investigation started after an Internet service provider in Wyoming noted an unusual network traffic and decided to alert SANS.  The SANS researchers were able to detect and isolate the worm setting up honeypots, they dubbed it The Moon because its source code contains numerous strings related lunar theme.

The analysts still haven’t determined whether there is a malicious payload or if the worm connects to a command and control server.

“We haven’t exactly worked out the command and control part yet. There is some evidence of at least a reporting feature,” 

In time I’m writing the unique certainty for researchers is that the worm seems to limit its activity to scanning for other vulnerable routers and spreading itself.

“The vulnerability allows the unauthenticated execution of arbitrary code on the router. We haven’t published all the details about the vulnerability yet as it appears to be unpatched in many routers,” said Johannes B. Ullrich, chief technology officer at SANS.

SANS immediately alerted spread the alarm, providing a list of potential vulnerable routers depending on the firmware version they’re running. The list includes the following models:

  • E4200
  • E3200
  • E3000
  • E2500
  • E2100L
  • E2000
  • E1550
  • E1500
  • E1200
  • E1000
  • E900

Moon worm malware 2

Once the Moon worm infected the router, it connects to port 8080 and using the Home Network Administration Protocol (HNAP) implemented in Cisco devices, retrieves router characteristics and firmware versions.

The worm appears to extract the router hardware version and the firmware revision. The relevant lines are:

<FirmwareVersion>1.0.07 build 1</FirmwareVersion> 

(this is a sample from an E2500 router running firmware version 1.0.07 build 1)

Once Moon worm discovers the router model, it exploits a vulnerable CGI script that allows it to access the router without authentication and starts searching for other vulnerable devices.

“The worm sends random “admin” credentials, but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability.”

The Moon worm has a size of 2MB and all the instances detected by SANS appear identical except for a random trailer at the end of the ELF MIPS binary file.

“There are about 670 different IP ranges that it scans for other routers. They appear to all belong to different cable modem and DSL ISPs. They are distributed somewhat worldwide),” “We are still working on analysis what it exactly does. But so far, it looks like all it does is spread (which is why we call it a worm “It may have a ‘call-home’ feature that will report back when it infected new hosts.” states the blog post.

SANS experts confirm that the Moon worm changes the DNS settings to control victim’s traffic, the behavior is common to other router exploits. Recently the Polish Computer Emergency Response Team has documented a series of cyber attacks observed in Poland involved cybercriminals hacking into home routers and changing their DNS settings to conduct MITM attacks on online banking connections.

“It may make changes to DNS settings like a lot of other router exploits, but this is still work in progress.”

How to discover if a router has been infected by the Moon worm?

The SANS provided the following indicators to detect the malware presence:

  • heavy outbound scanning on port 80 and 8080.
  • inbound connection attempts to misc ports < 1024.

Detecting potentially vulnerable system:

echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080

if you get the XML HNAP output back, then you MAY be vulnerable.

I always suggest to change default settings (e.g. Port number for admin panel) and to limit the access to the remote administrator interface to specific IP addresses.

Pierluigi Paganini

(Security Affairs –  Moon worm, malware)

you might also like

leave a comment