New Linksys Worm: “The Moon”

Linksys WormA new worm that propagates itself from router to router has been discovered by Security researcher Johannes B. Ullrich of the SANS Technology Institute. This Linksys worm was named “The Moon”  because it includes some basic HTML pages with images based on the movie “The Moon”.

The worm takes advantage of vulnerabilities in several Linksys products, including  the models:

  • E1000
  • E1200
  • E2400

When it attacks, the worm first determines the model and firmware of the router by using the HNAP protocol. If it finds that the router is one that it knows how to exploit, it then sends a malicious CGI script that takes advantage of security vulnerabilities of the device. Linksys has acknowledged these vulnerabilities in its firmware.

The worm propagates by scanning 670 different IP ranges for other routers to attack. The infected routers appear to all belong to different cable modem and DSL ISPs, and are distributed somewhat worldwide.

Users are encouraged to disable Remote Administration on their device or limit the administration right to a limited number of trusted IP addresses. Of course, this is good practice even without the threat of malware.

To read more about “The Moon” worm, please click here.