TheMoon worm si diffonde dai router Linksys

Un verme chiamato TheMoon, infetta Linksys router e quando i router sono infettati quindi si avvia alla ricerca di altri router vulnerabili. Pochi giorni fa, un vettore statunitense già avvertito il worm, destinazione è più router poi dichiararono prima.

Il worm si collega alla porta 8080, o meno tramite SSL. Poi la “/HNAP1 /” URL è richiesto, which asks for a list of router features and firmware versions. After this, the worm sends an exploit to the vulnerable CGI script that runs on these routers which needs no authentication.

Then a shell script is executed on the routers that is downloaded by the worm onto the Linksys router. The worm is about 2MB. Once the worm is actively looking for other victims it uses a list of about 670 different networks, all of which have to do with cable and DSL modems for Internet service providers in different countries. Infected routers are also used as a download location where newly infected routers can download the worm from.

The Moon

The worm was named TheMoon because the malware also contains a number of HTML pages with photos of the filmThe Moon”. Possible signs of an infected router are many outgoing scan-traffic on port 80 e 8080, and incoming connections on different port numbers below port number 1024. Exactly which models are fragile and vulnerable is not known yet, but according the Internet Storm Center the following Linksys models may be vulnerable: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200 , E1000, E900.