Linksys “TheMoon” Router Worm

The SANS ISC has reported on a worm affecting Linksys routers. Essentially the worm queries a potential target router to see if it is vulnerable and then if it meets the requirements uses an exploit in a CGI script to pull down a binary which is then executed. It appears that authentication is not required for the exploit and thus worm to function – even when an admin password is set. The infected router then searches for other vulnerable routers to infect and thus the cycle continues. The full details are on the ISC page and I have just paraphrased.

I would hope that Linksys releases updated firmware for the affected routers in a timely manner. I also expect this would only be able to affect routers enabled for remote administration but as many ISPs enable this on the routers they supply their customers to aid remote troubleshooting in the event of the customer calling tech support and often don’t restrict the source IP I imagine that there exists potential for entire netblocks of DSL CPEs to be infected.

Obviously if you have a Linksys device and have remote administration enabled you should probably disable this feature immediately until an updated firmware is supplied by the vendor.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s