Categories: Malware

MOON, the strange worm spreading on Linksys routers

Security researchers at SANS detected a self-replicating malware (dubbed moon worm) is spreading among a number of different Linksys routers.

Researchers at the SANS Institute discovered a new self-replicating worm that is infecting different Linksys home and small business routers. The investigation started after an Internet service provider in Wyoming noted an unusual network traffic and decided to alert SANS.  The SANS researchers were able to detect and isolate the worm setting up honeypots, they dubbed it The Moon because its source code contains numerous strings related lunar theme.

The analysts still haven’t determined whether there is a malicious payload or if the worm connects to a command and control server.

“We haven’t exactly worked out the command and control part yet. There is some evidence of at least a reporting feature,” 

In time I’m writing the unique certainty for researchers is that the worm seems to limit its activity to scanning for other vulnerable routers and spreading itself.

“The vulnerability allows the unauthenticated execution of arbitrary code on the router. We haven’t published all the details about the vulnerability yet as it appears to be unpatched in many routers,” said Johannes B. Ullrich, chief technology officer at SANS.

SANS immediately alerted spread the alarm, providing a list of potential vulnerable routers depending on the firmware version they’re running. The list includes the following models:

  • E4200
  • E3200
  • E3000
  • E2500
  • E2100L
  • E2000
  • E1550
  • E1500
  • E1200
  • E1000
  • E900

Once the Moon worm infected the router, it connects to port 8080 and using the Home Network Administration Protocol (HNAP) implemented in Cisco devices, retrieves router characteristics and firmware versions.

The worm appears to extract the router hardware version and the firmware revision. The relevant lines are:

<ModelName>E2500</ModelName>
<FirmwareVersion>1.0.07 build 1</FirmwareVersion> 

(this is a sample from an E2500 router running firmware version 1.0.07 build 1)

Once Moon worm discovers the router model, it exploits a vulnerable CGI script that allows it to access the router without authentication and starts searching for other vulnerable devices.

“The worm sends random “admin” credentials, but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability.”

The Moon worm has a size of 2MB and all the instances detected by SANS appear identical except for a random trailer at the end of the ELF MIPS binary file.

“There are about 670 different IP ranges that it scans for other routers. They appear to all belong to different cable modem and DSL ISPs. They are distributed somewhat worldwide),” “We are still working on analysis what it exactly does. But so far, it looks like all it does is spread (which is why we call it a worm “It may have a ‘call-home’ feature that will report back when it infected new hosts.” states the blog post.

SANS experts confirm that the Moon worm changes the DNS settings to control victim’s traffic, the behavior is common to other router exploits. Recently the Polish Computer Emergency Response Team has documented a series of cyber attacks observed in Poland involved cybercriminals hacking into home routers and changing their DNS settings to conduct MITM attacks on online banking connections.

“It may make changes to DNS settings like a lot of other router exploits, but this is still work in progress.”

How to discover if a router has been infected by the Moon worm?

The SANS provided the following indicators to detect the malware presence:

  • heavy outbound scanning on port 80 and 8080.
  • inbound connection attempts to misc ports < 1024.

Detecting potentially vulnerable system:

echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080

if you get the XML HNAP output back, then you MAY be vulnerable.

I always suggest to change default settings (e.g. Port number for admin panel) and to limit the access to the remote administrator interface to specific IP addresses.

Pierluigi Paganini

(Security Affairs –  Moon worm, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

An unpatched bug allows anyone to impersonate Microsoft corporate email accounts

A researcher discovered a flaw that allows attackers to impersonate Microsoft corporate email accounts and…

3 hours ago

Smishing Triad Is Targeting Pakistan To Defraud Banking Customers At Scale

Resecurity researchers warn of a new activity of Smishing Triad, which has expanded its operations…

4 hours ago

Alleged researchers stole $3 million from Kraken exchange

Alleged researchers have exploited a zero-day in Kraken crypto exchange to steal $3 million worth…

14 hours ago

Google Chrome 126 update addresses multiple high-severity flaws

Google released Chrome 126 update that addresses a high-severity vulnerability demonstrated at the TyphoonPWN 2024…

17 hours ago

Chip maker giant AMD investigates a data breach

AMD announced an investigation after a threat actor attempted to sell data allegedly stolen from…

23 hours ago

Cryptojacking campaign targets exposed Docker APIs

A malware campaign targets publicly exposed Docker API endpoints to deliver cryptocurrency miners and other…

1 day ago

This website uses cookies.