Admin-Ahead Community

General Category => General Discussion => Topic started by: nidhinjo on June 23, 2018, 10:30:01 pm

Title: ET WORM Themoon linksys.router 1
Post by: nidhinjo on June 23, 2018, 10:30:01 pm
Technical details about a vulnerability in Linksys routers that's being exploited by a new worm have been released along with a proof-of-concept exploit and a larger than earlier expected list of potentially vulnerable device models.The Malware named as ‘THE MOON’, scans for other vulnerable devices to spread from router to router.In order to hack the Router, malware remotely calls the Home Network Administration Protocol (HNAP), allows identification, configuration and management of networking devices.


The security researchers from the SANS Institute's Internet Storm Center identified a self-replicating malware program that exploits an authentication bypass vulnerability to infect Linksys routers. The worm has been named TheMoon. The initial report from SANS ISC said the vulnerability is located in a CGI script that's part of the administration interface of multiple Linksys' E-Series router models. However, the SANS researchers didn't name the vulnerable CGI script at the time.

A Reddit user identified four CGI scripts that he believed were likely to be vulnerable. An exploit writer, who uses the online alias Rew, later confirmed that at least two of those scripts are vulnerable and published a proof-of-concept exploit.
The exploit also contains a list of Linksys routers that Rew believes might be vulnerable based on strings extracted from the original TheMoon malware.

Affected version

The list includes not only models from the Linksys E-Series, but also from the Wireless-N product line.

The following models are listed: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N.

Recommendations

Install the latest firmware version and disable remote management on affected devices.This solution might not be practical for router administrators who need to manage devices deployed in remote locations, but so far it appears to be the only official mitigation strategy offered by the vendor.