A self-replicating worm is spreading among a number of different Linksys home and small business routers.

Researchers at the SANS Institute reported the outbreak yesterday and have not been able to determine whether there is a malicious payload or if the worm connects to a command and control server. Johannes B. Ullrich, chief technology officer at SANS said the worm appears at the moment to be doing little more than scanning for other vulnerable routers and seeding itself.

“The vulnerability allows the unauthenticated execution of arbitrary code on the router. We haven’t published all the details about the vulnerability yet as it appears to be unpatched in many routers,” Ullrich said, adding that Linksys has been notified.

Ullrich said an Internet service provider in Wyoming alerted SANS to the unusual network activity and SANS researchers were able to capture samples of the worm in its honeypots.

The worm has been dubbed The Moon because of a number of lunar references made in code strings that could be part of a command and control channel. SANS released an early list of vulnerable routers that could be vulnerable depending on the firmware version they’re running: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900.

After landing on the router, Moon connects to port 8080 and using the Home Network Administration Protocol (HNAP) used in Cisco devices, calls for a list of router features and firmware versions, Ullrich said. Once it learns what type of router it has infected, it exploits a vulnerable CGI script that allows it to access the router without authentication and begins scanning for other vulnerable boxes.

“There are about 670 different IP ranges that it scans for other routers. They appear to all belong to different cable modem and DSL ISPs. They are distributed somewhat worldwide),” Ullrich said. “We are still working on analysis what it exactly does. But so far, it looks like all it does is spread (which is why we call it a worm “It may have a ‘call-home’ feature that will report back when it infected new hosts.”

It’s unclear what the payload is or whether it’s receiving commands, Ullrich said.

“We haven’t exactly worked out the command and control part yet. There is some evidence of at least a reporting feature,” he said. “It may make changes to DNS settings like a lot of other router exploits, but this is still work in progress.”

Changing the DNS settings on the router will redirect traffic to an attacker controlled site or allow them to monitor traffic in transit. Users will know they could be compromised if they log heavy outbound scanning in port 80 and 8080 and whether there are inbound connections on miscellaneous ports lower than 1024. Ullrich wrote on the SANS Internet Storm Center site that users can ping:

 echo “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080

If an XML HNAP output is returned, then the vulnerability is likely present, Ullrich said.

Ullrich said that until Linksys-Belkin releases a patch or new firmware, users can turn off remote administration as a mitigation. Running the latest firmware is advised, but Ullrich said it is unclear whether that will be a help with this vulnerability until a patch is ready. Users may also limit access to the remote administrator interface to specific IP addresses and change the port number of the administration interface to make it more difficult to find.

Categories: Malware

Comments (4)

  1. double
    1

    The echo command should include “-e” option to parse the CRLF.


    echo -e "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080

  2. Michael Mimoso
    2

    I checked with SANS Institute and they told me that may depend on your OS. On OS X, the -e is not necessary, for example. Thanks for pointing that out.

Comments are closed.