An unusual self-propagating worm has been discovered, spreading its way among Linksy E-models routers, the popular home networking and small office CPE. Johannes Ullrich, a researcher with SANS Technology Institute, named the bug the Moon because it includes basic HTML pages with images based on the movie "The Moon.” But here’s the other thing: the worm just seems to “moon about,” not really doing anything other than spread itself.
While Moon’s code appears include strings that point to a command-and-control channel, it doesn’t seem to be in use – so for right now, it’s just moving from machine to machine, making copies of itself. If in the future a CnC channel is activated, it would make for an automatic botnet footprint though.
Ullrich explained in a blog post that upon infection, it initially appears to extract the router hardware version and the firmware revision from the device, using those to download and install the appropriate payload for that particular router, which goes on to look for the next victims. It starts off with a Home Network Administration Protocol (HNAP) request, which allows identification, configuration and management of networking devices like routers. Routers that aren’t configured for remote administration are not susceptible to the attack.
Ullrich said that the worm looks for infectable devices using a list of about 670 different networks that the routers could be connected to. They’re all mainstream cable or DSL modem ISPs in various countries, including Comcast and Charter in the US.
Here’s how it works, according to the SANS Institute: “The worm will connect first to port 8080, and if necessary using SSL, to request the "/HNAP1/" URL. This will return an XML formatted list of router features and firmware versions. Next, the worm will send an exploit to a vulnerable CGI script running on these routers. The request does not require authentication. The worm sends random admin credentials, but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability.”
This second request will launch a simple shell script, which will in turn request the actual worm. The worm is about 2MB in size, and once it runs, the infected router scans for other victims. For each target, a new server with a different port is opened.
Ullrich said that there are several indicators of a compromise to look for, including heavy outbound scanning on port 80 and 8080, and inbound connection attempts to various ports below 1024.
Belkin is working on a fix, it said, but in the meantime Ullrich offered some remediation tips: First of all, if a router needs to be administered remotely, restricting access to the administrative interface by IP address will help reduce the risk. Users can also change the port of the interface to something other than 80 or 8080, the attack ports of choice for “Moon landings,” as it were.