Discussion on Linksys Malware ‘The Moon’

Posted: February 18, 2014 in Analysis, Vulnerabilities
Tags: , ,


Today almost all household and commercial environments are equipped with Wi-Fi Networks. The heart of such a network is the Wireless access point. When it comes to households and small commercial environments Wireless routers playing a major role than the Wireless Access points. Bootstrap programs and the instructions of these devices located in a special type of memory known as ”Firmware”. Recently researchers found that there is a malware in the wild which focusing on those special memories on ‘Linksys” wireless routers, and it can replicate to similar devices by itself. This happens by exploiting authentication bypass and code-execution vulnerabilities in the Linksys wireless routers. The Malware named as ‘THE MOON’, scans for other vulnerable devices to spread from router to router and the researches confirmed that the malicious worm has already infected around 1,000 Linksys E1000, E1200, and E2400 routers.

In order to hack the Router, malware remotely calls the Home Network Administration Protocol (HNAP), allows identification, configuration and management of networking devices. The Malware first request the model and firmware version of the router using HNAP and if the device founds vulnerable, it sends a CGI script exploit to get the local command execution access to the device. Linksys’s parent company has confirmed that HNAP implementation has a security flaw whose exploit code is publicly available on the Internet.

‘To what extent this worm can be dangerous’ is yet a question.

You can use the following command to verify that your device is vulnerable or not.

echo [-e] “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080

If you receive an XML HNAP reply, you are likely to be victimized for the worm affecting Linksys devices and some preventive measures are to be taken. Also keep an eye on the logs of port 80 and 8080. Users are recommended to Disable Remote Administration of their device or limits the administration right to a limited number of trusted IP addresses.

Source : THN, SANS

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s