Self-Replicating Malware Found in Linksys Routers


A recent alert issued by the Sans Institute reveals that some Linksys Routers,

specifically the Linksys E class, including the E1000, E1200, and E2400 routers, are falling victim to a self-replicating malware that researchers have named “The Moon.” Routers running the latest 2.0.06 version of Linksys firmware don’t seem to be affected by this malware.

“We do not know for sure if there is a command and control channel yet,” Johannes Ullrich wrote in the update. “But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie “The Moon” which we used as a name for the worm.”

This worm works by scanning the network for vulnerable devices and then infects those devices too. The exploit may change the DNS server on the routers to Google’s DNS.

Most infected devices are experiencing heavy outbound scanning on port 80 and 8080, and inbound attempts to random ports below 1024. If you would like to see if your device is infected enter the following command in Terminal (Mac) or Command Prompt (Windows):

echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080

If you get a response with XML HNAP your router may be vulnerable.

It may be time to update your firmware and restart your router. Unfortunately, there is no update available for E1000 models, since they are no longer supported.  To learn more about this exploit and what you can do to help if you own one of the affected routers,  please visit the Sans Institute website.

One Comment.
  1. Kit Pierce

    While Linksys may not provide support for the E1000 any longer, replacing your firmware with an alternate (such as DD-WRT) is still a very solid choice. Note, this will require some technical aptitude and could result in a broken router… but if you’ve been hacked already, some would consider that a wash. 😀

Comments have been disabled.