Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: ET WORM Themoon linksys.router 1  (Read 2609 times)

0 Members and 1 Guest are viewing this topic.

nidhinjo

  • Guest
ET WORM Themoon linksys.router 1
« on: June 23, 2018, 10:30:01 pm »
Technical details about a vulnerability in Linksys routers that's being exploited by a new worm have been released along with a proof-of-concept exploit and a larger than earlier expected list of potentially vulnerable device models.The Malware named as ‘THE MOON’, scans for other vulnerable devices to spread from router to router.In order to hack the Router, malware remotely calls the Home Network Administration Protocol (HNAP), allows identification, configuration and management of networking devices.


The security researchers from the SANS Institute's Internet Storm Center identified a self-replicating malware program that exploits an authentication bypass vulnerability to infect Linksys routers. The worm has been named TheMoon. The initial report from SANS ISC said the vulnerability is located in a CGI script that's part of the administration interface of multiple Linksys' E-Series router models. However, the SANS researchers didn't name the vulnerable CGI script at the time.

A Reddit user identified four CGI scripts that he believed were likely to be vulnerable. An exploit writer, who uses the online alias Rew, later confirmed that at least two of those scripts are vulnerable and published a proof-of-concept exploit.
The exploit also contains a list of Linksys routers that Rew believes might be vulnerable based on strings extracted from the original TheMoon malware.

Affected version

The list includes not only models from the Linksys E-Series, but also from the Wireless-N product line.

The following models are listed: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N.

Recommendations

Install the latest firmware version and disable remote management on affected devices.This solution might not be practical for router administrators who need to manage devices deployed in remote locations, but so far it appears to be the only official mitigation strategy offered by the vendor.