TheMoon worm spreads by Linksys routers

A worm called TheMoon, infects Linksys routers and when the routers are infected then it starts searching for other vulnerable routers. A few days ago, a US carrier already warned for the worm, that is targeting more routers then they first declared.

The worm connects to port 8080, whether or not via SSL. Then the “/HNAP1/” URL is requested, which asks for a list of router features and firmware versions. After this, the worm sends an exploit to the vulnerable CGI script that runs on these routers which needs no authentication.

Then a shell script is executed on the routers that is downloaded by the worm onto the Linksys router. The worm is about 2MB. Once the worm is actively looking for other victims it uses a list of about 670 different networks, all of which have to do with cable and DSL modems for Internet service providers in different countries. Infected routers are also used as a download location where newly infected routers can download the worm from.

The Moon

The worm was named TheMoon because the malware also contains a number of HTML pages with photos of the film “The Moon”. Possible signs of an infected router are many outgoing scan-traffic on port 80 and 8080, and incoming connections on different port numbers below port number 1024. Exactly which models are fragile and vulnerable is not known yet, but according the Internet Storm Center the following Linksys models may be vulnerable: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200 , E1000, E900.

Warning of new vulnerability in Internet Explorer 10

internet explorer - logoThere is a new vulnerability in Internet Explorer 10 discovered that cybercriminals actively targeting. There is not a patch from Microsoft available for this vulnerability at this moment. FireEye security warned for the flaw in Internet Explorer 10.

The new leak was discovered during a “watering hole attack.” Thereby a website is hacked that a potential target visits by itself. As a result, there is no need spear phishing mails sending links or attachments to the target, which the target can ignore or can potentially detect the attack. Once the target with Internet Explorer 10 visited the hacked website, he is automatically infected with malware via an exploit. There is no further interaction required.

Further details about the vulnerability itself, or possibly other IE versions are vulnerable or locations are not published yet. Internet Explorer 10 has a global market share of 9.3%,  According to FireEye, FireEye discovered last year 11 zero-day vulnerabilities for which no update was available at the time of the attack. FireEye announcement is especially to warn the public. Microsoft is also informed about the vulnerability.

Mac malware distributed via and

mac virusVariants of a Trojan horse for Mac OS X that steal bitcoins for Mac users are found on major download sites as and Says SecureMac that already warned before for the CoinThief malware.

The malware was found primarily on the developer platform GitHub, but appears to be distributed via the popular download sites. On these sites CoinThief occurs when “Bitcoin Ticker TTM for Mac” and “Litecoin Ticker.” These are legitimate apps that are also available through the Mac App Store, but the versions on the App Store contained no malware. Continue reading