The Moon router worm. Your anti-virus has probably been updated to detect it, but won’t protect you

Graham Cluley
Graham Cluley
@[email protected]

MoonLate last week news emerged of a worm that was spreading between Linksys routers.

What’s unusual about the worm, which has been dubbed “The Moon”, is that it doesn’t infect computers. In fact, it never gets as far as your computer.

And that means up-to-date anti-virus software running on your computer isn’t going to stop it. The worm never reaches a device which has anti-virus protection running on it.

And it also means that the worm doesn’t care whether your computer is running Windows, Mac OS X, or a flavour of Unix. It’s irrelevant. Your LinkSys router could still be at risk.

Sign up to our free newsletter.
Security news, advice, and tips.

Because the only things that The Moon worm is interested in infecting are Linksys routers – like the one you might use to connect computers in your home or office to the internet – that suffer from an authentication bypass vulnerability.

The self-replicating worm compromises your Linksys router, without needing to know your router’s password, and then uses the device to scan for other vulnerable routers on the internet.

One consequence of this is that a lot of network traffic can be generated by the worm, slowing down internet access.

The following Linksys routers are thought to be vulnerable:

E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N.

Linksys says it is working on a firmware fix for the vulnerability, and that it plans to post it “in the coming weeks”.

Linksys Moon advisory

It is, of course, a race against time as hackers might attempt to exploit the same vulnerability for more obviously malicious purposes. There is already evidence that script kiddies have created working exploits of the vulnerability.

While a proper firmware fix is awaited, Linksys is encouraging owners of Linksys routers to update their firmware to the latest version and disable remote management.

Linksys screenshot

Hmm… wouldn’t it have been better if Linksys had also advised users to choose HTTPS access in that screenshot?

Linksys screenshot

Whatever brand of router you use in your home or small office, you should consider disabling features which might expose you to risk.

For instance, turning off remote administration and limiting access to specific trusted IP addresses can reduce the potential attack surface, and make life much harder for online criminals who may attempt to infiltrate your network.

Furthermore, always be sure to not be using the default passwords which shipped with your router.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

7 comments on “The Moon router worm. Your anti-virus has probably been updated to detect it, but won’t protect you”

  1. So, I use a Samknows monitor device which uses custom firmware on a Linksys router. Is it vulnerable, how would I know?

  2. Flying Dutchman

    I'm shocked to read this. And hey – I would not be surprised to see a sudden, coordinated attack taking place at short notice, now that the word is out, only to bring a large portion of Western internet traffic to a grinding halt. This is even fancier / easier to the jerks out there, than a DDoS attack can ever be. Could it be state sponsored, I'm asking myself.

    And yes, it is painful to see that HTTP enabled.


    Some people will never learn from their mistakes.

    1. Jesse S · in reply to Flying Dutchman

      The reason HTTP is enabled by default is because most routers don't ship with a proper SSL Cert, so using HTTPS would mean relying on the local self-signed certificate, which is not something they want the average user to work on.

    2. CSev · in reply to Flying Dutchman

      I know it's an old post, but nonetheless, HTTPS provides security against man-in-the-middle attacks.
      If it's at the point where someone has access to the traffic between you on your local network and your router (which likely involves hardware access), someone trying to change your router's settings is the least of your problems.

      As long as external access is disabled HTTPS will not give you much security, if any at all. Of course it's an entirely different story for remote-access, which should only be enabled through HTTPS, even a self-signed certificate is better than none there.

  3. Ganesh Pandian

    Not just Linksys ones, mine are Beetel 450TC2 and I am also having the same issue. This appears only when connected to my home Broadband connection.

  4. Bobby

    This thing got into my Linksys EA2700. Maybe coincidentally, but I attempted to download the "adobe" update and the problems ensued. Continued pop-ups, "unauthorized access" warning pages with actual phone numbers to call, mouse will not work on most links on webpages, windows defender got shut down and I can not get it back, I can not log on as the administrator unless in "safe mode". I finally read where this virus affected my Linksys router. So I deleted Cisco Connect from my PC and tried to re-install the router and update the firmware. My computer went into a "4th of July" mode with ALL (I had about 7 or 8 pages open) the pages flashing at the speed of light, trying to reload the browser. I finally got it to shut down and rebooted, but I am at a loss. My router is connected again but with very little signal strength. However, the "guest router" (which I didn't even know I had) has full signal. Anyone got any ideas. I'm thinking "new" router. Bobby

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.