A mysterious worm discovered last week, dubbed “TheMoon,” attacked Linksys routers and made the devices, popular for home and small office networks, see the dark side of the moon. Literally – the worm includes simple HTML pages with images loosely based on the science fiction movie “Moon”.
Johannes Ullrich, a security researcher at the Sans Institute’s Internet Storm Center, wrote a blog post last Wednesday, dubbing the malicious self-replicating software “TheMoon,” and describing its method of infecting vulnerable devices. In that post he also provided a list of router firmware versions that appeared vulnerable to attack and a one line diagnostic for system administrators to quickly verify if their routers are infected.
The attack uses a remote management interface which appears to have a bug allowing programs stored in the router to be run from afar without any proper credentials being provided. Typically this interface is only available to administrators after logging in with an appropriate password.
Ulrich also observed that, although the worm contains code which could be used for relaying data or instructions to a CnC (command and control) center, no reports or traffic analysis indicated that it was doing so.
Linksys was soon aware of the issue and posted a notification a few days after the Sans post which included steps to protect the E-series devices susceptible to the attack. This consisted mostly of turning off the Remote Management Access feature, a feature turned off by default on the routers.
On Wednesday “TheMoon” simply replicated itself rapidly, attacked ever more devices, annoyed Linksys router administrators who were confused to see mysterious pictures of the moon – the whole issue more a bizarre cyber side-show than a full-blown dark security concern.
This may change with the release of a proof of concept exploit today by a user on the social network Reddit. Going by the online alias of “Rew”, he provided the names of the internal programs, which he believes are likely to be exploited by malicious hackers, and example code to demonstrate how it could be done.
“I was hoping this would stay under wraps until a firmware patch could be released,” Rew wrote, “but it appears the cat is out of the bag.”
He also indicated that routers other than those from the E-series, originally thought to be the only devices open to attack, were open to intrusion, including some wireless products from Linksys. He listed many of the devices he considered possible attack vectors, but mentioned that he could not verify the accuracy or completeness of the list.
Belkin, owner of Linksys, did confirm that some of their Wireless-N devices are affected but would not release model numbers or names. The director of global communications at Belkin, Karen Sohl, is reported to have said that customers can reboot their routers, after turning off the remote management interface, to remove the worm. This suggests that the worm cannot survive a reboot, but since Linksys also posted a notice promising “a firmware fix that is planned to be posted on our website in the coming weeks.” it could be that a simple reboot is not enough to remove the worm.
This attack on Linksys routers by “TheMoon” reminds us again that the dark side of the internet can be a mysterious landscape filled with people who want us to see what they can do – and maybe more.
By Brian Ryer