Researchers from the SANS Institute Internet Storm Center (ISC) issued an alert on February 12, 2014 stating that older models of the Linksys E-series router have been compromised. Early reports indicated that a self-replicating program, recently given the name TheMoon, which exploits authentication bypass vulnerabilities, causes the infection.
According to more recent information, the vulnerability has been found to exist in several models of the E-series and some Wireless-N routers. The information suggests that the following routers are vulnerable: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N.
What is TheMoon?
The malware, which received its name from a Lunar Industries logo, a fictitious company from the 2009 movie "The Moon," included within the code, begins its work by requesting a /HNAP1/URL from devices behind the scanned router IP address. The malware sends the HNAP request, or Home Network Administration Protocol that was created by Cisco to allow identification, configuration, and management of connected network devices, so that identification of the router's model and firmware version can be made.
Once the identification has been made and a vulnerable device is located, the malware sends a new request to a specific CGI script that makes the execution of local commands on the device possible. The script contains an authentication bypass vulnerability, and has been identified and tested since discovery.
At this point, the vulnerability is exploited to download and execute a binary file in ELF (Executable and Linkable) format that is compiled for the MIPS platform. Once this file has been activated on the newly infected router, the binary file begins scanning for new routers or devices that it can infect. The malware also opens an HTTP server at a random low-number port in order to distribute copies of itself to vulnerable devices once they are identified.
Since reports of the authentication bypass vulnerability appeared, Linksys has responded with an email statement and a technical article on preventing infection by TheMoon.
According to the technical article, "Linksys is aware of the malware called The Moon that has affected select older Linksys E-series Routers and select older Wireless-N access points and routers. We will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks."
The article also indicates there are two router settings that may prevent infection by TheMoon. The first is to disable Remote Management Access in the Administration tab of the router's web-based interface. The second setting is located in the Security Tab of the web interface and requires a checkmark to be placed in the box beside Filter Anonymous Internet Requests. Please refer to the technical paper for more specific information on securing your Linksys device.