TheMoon worm spreads by Linksys routers

A worm called TheMoon, infects Linksys routers and when the routers are infected then it starts searching for other vulnerable routers. A few days ago, a US carrier already warned for the worm, that is targeting more routers then they first declared.

The worm connects to port 8080, whether or not via SSL. Then the “/HNAP1/” URL is requested, which asks for a list of router features and firmware versions. After this, the worm sends an exploit to the vulnerable CGI script that runs on these routers which needs no authentication.

Then a shell script is executed on the routers that is downloaded by the worm onto the Linksys router. The worm is about 2MB. Once the worm is actively looking for other victims it uses a list of about 670 different networks, all of which have to do with cable and DSL modems for Internet service providers in different countries. Infected routers are also used as a download location where newly infected routers can download the worm from.

The Moon

The worm was named TheMoon because the malware also contains a number of HTML pages with photos of the film “The Moon”. Possible signs of an infected router are many outgoing scan-traffic on port 80 and 8080, and incoming connections on different port numbers below port number 1024. Exactly which models are fragile and vulnerable is not known yet, but according the Internet Storm Center the following Linksys models may be vulnerable: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200 , E1000, E900.