FYI...Linksys home routers targeted and compromised in active campaign
Feb 13, 2014 - "... undetermined vulnerability affecting certain Linksys WiFi routers is being actively and massively exploited in the wild
to infect the devices with a worm dubbed "TheMoon"* ... investigation started after they were notified by a Wyoming-based ISP that some of its customers have had their Linksys routers and home networks -compromised- in the last few days. "The routers, once compromised, scan port 80 and 8080 as fast as they can (saturating bandwidth available)"... it seems that the exploit doesn't work against Linksys' E1200 routers with the latest firmware, but E1000 routers are -vulnerable- even if they have the latest firmware
. The worm also attempts to download a "second stage" binary, which includes a set of hard-coded netblocks (probably blocks it scans) and likely instructions for contacting C&C servers. Other files are also ultimately downloaded... Much is yet unknown about the situation, and while the researchers are delving into it, it might be a good idea to update your router's firmware and, if you know how, to switch -off- its remote administration
Upgrading the Linksys router’s firmware ...
What we know so far...
Last Updated: 2014-02-13 18:37:18 UTC - "... At this point, we are aware of a worm that is spreading among various models of Linksys routers. We do not have a definite list of routers that are vulnerable, but the following routers -may- be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900. The worm will connect first to port 8080, and if necessary using SSL, to request the "/HNAP1/" URL. This will return an XML formatted list of router features and firmware versions. The worm appears to extract the router hardware version and the firmware revision... The worm will connect first to port 8080, and if necessary using SSL, to request the "/HNAP1/" URL. This will return an XML formatted list of router features and firmware versions. The worm appears to extract the router hardware version and the firmware revision... the worm will send an exploit to a vulnerable CGI script running on these routers. The request does not require authentication. The worm sends random "admin" credentials but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability
. This second request will launch a simple shell script, that will request the actual worm. The worm is about 2MB in size, samples that we captured so far appear pretty much identical but for a random trailer at the end of the binary... We do not know for sure if there is a command and control channel yet. But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie "The Moon" which we used as a name for the worm. We call this a "worm" at this point, as all it appears to do is spread. This may be a "bot" if there is a functional command and control channel present..."(More detail at the ISC URL above.)
Feb 18, 2014 - "... Administrators and users are advised to -Disable- Remote Administration of their device, which protects them from the attack