The Moon router worm. Your anti-virus has probably been updated to detect it, but won’t protect you

MoonLate last week news emerged of a worm that was spreading between Linksys routers.

What’s unusual about the worm, which has been dubbed “The Moon”, is that it doesn’t infect computers. In fact, it never gets as far as your computer.

And that means up-to-date anti-virus software running on your computer isn’t going to stop it. The worm never reaches a device which has anti-virus protection running on it.

And it also means that the worm doesn’t care whether your computer is running Windows, Mac OS X, or a flavour of Unix. It’s irrelevant. Your LinkSys router could still be at risk.

Because the only things that The Moon worm is interested in infecting are Linksys routers – like the one you might use to connect computers in your home or office to the internet – that suffer from an authentication bypass vulnerability.

The self-replicating worm compromises your Linksys router, without needing to know your router’s password, and then uses the device to scan for other vulnerable routers on the internet.

One consequence of this is that a lot of network traffic can be generated by the worm, slowing down internet access.

The following Linksys routers are thought to be vulnerable:

E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N.

Linksys says it is working on a firmware fix for the vulnerability, and that it plans to post it “in the coming weeks”.

Linksys Moon advisory

It is, of course, a race against time as hackers might attempt to exploit the same vulnerability for more obviously malicious purposes. There is already evidence that script kiddies have created working exploits of the vulnerability.

While a proper firmware fix is awaited, Linksys is encouraging owners of Linksys routers to update their firmware to the latest version and disable remote management.

Linksys screenshot

Hmm… wouldn’t it have been better if Linksys had also advised users to choose HTTPS access in that screenshot?

Linksys screenshot

Whatever brand of router you use in your home or small office, you should consider disabling features which might expose you to risk.

For instance, turning off remote administration and limiting access to specific trusted IP addresses can reduce the potential attack surface, and make life much harder for online criminals who may attempt to infiltrate your network.

Furthermore, always be sure to not be using the default passwords which shipped with your router.

Tags: , , , ,

, , , ,

5 Responses

  1. Andrew Downes February 18, 2014 at 10:52 am #

    So, I use a Samknows monitor device which uses custom firmware on a Linksys router. Is it vulnerable, how would I know?

  2. Flying Dutchman February 18, 2014 at 12:58 pm #

    I'm shocked to read this. And hey – I would not be surprised to see a sudden, coordinated attack taking place at short notice, now that the word is out, only to bring a large portion of Western internet traffic to a grinding halt. This is even fancier / easier to the jerks out there, than a DDoS attack can ever be. Could it be state sponsored, I'm asking myself.

    And yes, it is painful to see that HTTP enabled.

    Ouch.

    Some people will never learn from their mistakes.

    • Jesse S February 19, 2014 at 4:57 pm #

      The reason HTTP is enabled by default is because most routers don't ship with a proper SSL Cert, so using HTTPS would mean relying on the local self-signed certificate, which is not something they want the average user to work on.

  3. Ganesh Pandian July 23, 2014 at 4:54 am #

    Not just Linksys ones, mine are Beetel 450TC2 and I am also having the same issue. This appears only when connected to my home Broadband connection.

Leave a Reply