There’s a new threat to one of the most popular equipment manufacturers. Malware targeting multiple Linksys routers is turning up all over the place – and it’s not immediately apparent what this particular worm is up to.
The malware – dubbed “The Moon” – scans routers trying to find out more information about them, according to research by the SANS Institute. It appears to be searching for:
- the router model, and
- the version of firmware it’s running.
That could indicate this malware looking for outdated or unpatched hardware to infect.
Spreads to other victims
The second wave of the attack is to request the actual worm – a small file with an unknown impact. This worm then replicates itself, scanning for other victims.
The odd thing: It’s not quite clear what this worm does. It looks to just be spreading without any end goal.
Right now it appears to just be spreading far and wide across the Internet. It could be that this is just an experiment for a hacker. Or it could be a test run to see how easily more malicious software could spread. At this point, it’s all speculation, though.
Of course that doesn’t mean you shouldn’t be concerned.
So far, the list of vulnerable routers includes Linksys':
- E1000, and
If you have one of these routers, SANS has a test you can do to see if you’re infected:
Detecting potentially vulnerable system:echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080
if you get the XML HNAP output back, then you MAY be vulnerable.
At the end of the day, the best lesson: Make sure firmware is up to date. It’s just as important as updating applications, if not more so. And make sure you disable the remote management option on your router if possible.