Linksys Routers Getting Infected by "TheMoon" Worm

Researchers at the SANS Institute's Internet Storm Center (ISC) say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware. Dubbed as "TheMoon," this worm compromises the Linksys router and then scans for other vulnerable devices.

The malware is affecting Linksys E-series models E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000 and E900, and possibly more depending on firmware, though the ISC does not have a comprehensive list of the Linksys router models that are vulnerable.

"The worm will connect first to port 8080, and if necessary using SSL, to request the "/HNAP1/" URL," ISC explained on a diary post. "This will return an XML formatted list of router features and firmware versions. The worm appears to extract the router hardware version and the firmware revision."

"The worm is about 2MB in size, samples that we captured so far appear pretty much identical but for a random trailer at the end of the binary. The file is an ELF MIPS binary," the ISC added. "An infected router will also serve the binary at a random low port for new victims to download. This http server is only opened for a short period of time, and for each target, a new server with a different port is opened".

Linksys is aware of the vulnerability in some E-Series routers and is working on a fix, said Mike Duin, a spokesman for Linksys owner Belkin, in an email Friday.

Read more -here-

• Disney+, Hulu and Max team up for streaming bundle package
• OpenAI is reportedly working on a search feature for ChatGPT
• TikTok, ByteDance sue to block US law seeking sale or ban of app
• OpenAI partners with Stack Overflow to make models better at coding
• Dropbox breach exposes customer credentials, authentication data
• Google: Passkey authentications top 1 billion across 400 million accounts