Could Your Linksys Be Infected?

E4200CiscoRecently a new worm dubbed “TheMoon” has been discovered exploiting a known vulnerability in a number of Linksys Router models.  Once each router is infected it becomes a part of the chain and attempts to infect more Linksys routers.  Sort of like you’d imagine a zombie biting a person and turning that person into another zombie and so on.

Known vulnerable router models are E4200, E3200, E3000. E2500, E2100L, E2000, E1550, E1500 and E1200 per Johanees Ullrich of the Sans Institute.

Thus far “TheMoon” is only being dubbed as a worm as it currently is doing little more than spreading.  Experts say it may turn out to be a “bot”, but as of right now a functional command and control channel has not been detected.  A few of these routers are having their domain name system server changed to Google, the reason for this is currently unknown, although speculation is this could allow for a bypass around DNS policies set by certain ISPs.

Of the sample Ullrich reviewed the worm appears to be targeting DSL and Cable ISPs including Charter, RCN, Cox, Comcast, Roadrunner, Bell, Shaw, Virtua, Telesp, RDSNET, Time.Net and Ziggo.

Indicators that your Linksys has been infected – heavy outbound scanning on port 80 and 8080 or inbound connection attempts against misc ports < 1024.

If you’re concerned your router has been infected reboot it; once rebooted all devices that were infected appear to return to their normal state.  Also make sure your router has been updated with the latest firmware version.  Infections have not been seen in routers with the latest update.

 

[whohit]LinksysMalware[/whohit]

1 Comment

  1. subway surfer Reply

    I was pretty pleased to uncover this web site. I need
    to to thank you for your time just for this fantastic read!!
    I definitely enjoyed every bit of it and i also have you saved as a
    favorite to check out new things on your web site.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top