Linksys Confirms Router-targeted 'TheMoon' Malware, Promises Firmware Fixes in Weeks Ahead

rated by 0 users
This post has 3 Replies | 0 Followers

Top 10 Contributor
Posts 26,814
Points 1,213,495
Joined: Sep 2007
News Posted: Mon, Feb 17 2014 12:10 PM

Hot on the heels of a 'TheMoon' exploit proof-of-concept being released, Linksys has both confirmed its existence, and also offers up some initial guidance.

'TheMoon' is a self-replicating piece of malware that targets a wide-range of Linksys routers, all of which can utilize a remote access feature. If this feature is enabled, a vulnerability effectively activates that allows someone to bypass the router's authentication system in order to gain access to its admin panel. On the flipside, if this feature is disabled (its official name is "Remote Management Access"), then this vulnerability simply won't exist.

Linksys itself hasn't prepared a list of affected models (yet), outside of stating that it involves older E and N routers, but an exploit writer who looked into official TheMoon files extracted this list:

E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N

It's important to note that the above list might not be complete, and it might also include models which are not affected. Still, if you happen to use any aging Linksys router and have made use of the remote access feature, TheMoon is worth being cautious about.

Linksys has stated that firmware updates for all affected products is in the works, although it will be a couple of weeks before they hit its support site.

Addendum: Belkin has reached out to us to provide an official statement:

Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.
  • | Post Points: 50
Top 100 Contributor
Posts 1,114
Points 11,290
Joined: Jun 2010
Location: Pennsylvania
CDeeter replied on Mon, Feb 17 2014 6:14 PM

Nice to hear Linksys on working on this, and by the sounds of it as long as you haven't intentionally turned on remote access, your fine.

  • | Post Points: 5
Top 25 Contributor
Posts 3,702
Points 55,905
Joined: Jul 2004
Location: United States, Massachusetts
Dave_HH replied on Mon, Feb 17 2014 7:47 PM

Good thing I use DDWRT. :)

Editor In Chief

  • | Post Points: 5
Top 50 Contributor
Posts 2,934
Points 24,785
Joined: Jul 2001
Location: United States, New York
digitaldd replied on Wed, Feb 19 2014 1:18 PM

And if you have an affected router you may need to login to it from a wired connection to access the panel that has the remote management check-box. i ran into this with my girlfriend's router over the weekend. If it weren't this we'd be hearing about all the vulnerabilities in HNAP, or Home Network Administration Protocol. or the open FTP access on Asus' routers.

  • | Post Points: 5
Page 1 of 1 (4 items) | RSS