From the desk of: Sam C. Chan

Advisory:   Linksys Router Vulnerability - The Moon

Published:  September 5, 2014   
LAST REVISED: SEP 11 2014  
plus various minor addenda thru-out the page

During the investigation of a reported adware phishing pop-up incident, which persisted and recurred even after removal of a relevant browser add-on, I noticed an anomaly: the DHCP station was not using DNS server from the ISP (Earthlink, in this case). Close examination revealed that their router settings contained unauthorized alterations. Further digging led me to an official announcement from Linksys about a breach to their products.

Technical Summary

  • First announced and acknowledged by the vendor in February 2014.
  • It was discovered by a French "hacker" Eloi Vanderbeken, and subsequently reported by American researcher Johannes B. Ullrich at SANS InfoSec in January 2014.
  • A worm named "The Moon" has been "in the wild" targeting Linksys routers.
  • It exploits a vulnerability in those Linux-based router's CGI script, which enables the worm to  commandeer the router without login credentials.
  • It performs scans and attempts to infect other devices/hosts, which at times, generates such saturated WAN traffic on port 80 and 8080 that it renders the outbound ISP connection practically unusable.
  • It modifies the router DHCP Server entries to direct clients to a rotating group of  rogue DNS servers, achieving DNS hijack for phishing and  MITM* attacks.
  • From time to time, it curiously points users to the 8.8.8.8 DNS server operated by Google. The exact purposes and intends are unclear at this point.
  • Linksys Officially stated affected models: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N
  • I personally strongly suspect that the EA series, while notably omitted, is also similarly affected.  Likewise for Belkin and Netgear.    ADDENDUM NOV 5 2014 CONFIRMED POSITIVE!  Refer to "SEE ALSO" section at bottom for relevant links re: EA (Smart wifi) series..

Practical Consequences & Implications

  • Internet performance degradation, with no apparent schedule/pattern.
  • Serious potential leak of confidential info/data:
    • your web site login name and passwords could be captured by 3rd parties
    • even your so-called "secure SSL sessions" via https protocol (including online banking) could be useless, as you're actually encrypting with the "middleman," who can decrypt everything, and relay it to your intended destinations.
  • Note: the point of infiltration and infestation is at the router, but the symptoms are manifest at the workstations, e.g. surreptitiously injected content (such as pop-up messages and banners, audio streams), purportedly from the legitimate sites visited.

SANS InfoSec initial report:
   https://isc.sans.edu/diary/Linksys...17633

Linksys addressing this breach in a knowledge base article:
   http://kb.linksys.com/Linksys/ukp.aspx?...

An excerpt of the Linksys kb article is cached here
for redundancy and archival purposes,
as captured by Bravo on Sep. 5, 2014:

For historical reference only!
NOT a valid guide for remedy!

 

How to prevent your Linksys router from getting The Moon malware

Article ID: 29259

Linksys is aware of the malware called The Moon that has affected select older Linksys Wi-Fi Routers and Wireless-N access points and routers.  We will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.

What is The Moon malware?
 
The Moon malware bypasses authentication on the router by logging in without actually knowing the admin credentials.  Once infected, the router starts flooding the network with ports 80 and 8080 outbound traffic, resulting in heavy data activity.  This can be manifested as having unusually slow Internet connectivity on all devices.
 
What should I do to prevent this malware from infecting my router?
 
There are several steps on how to prevent The Moon malware from infecting your network.  Follow the steps below to learn how:
 
Step 1:
Access the routerís web-based setup page.  To learn how, click here.  If youíre using a Macģ computer, click here
 
Step 2:
Verify if your Linksys router has the latest firmware.  The current firmware version can be seen in the upper-right corner of the web-based setup page.  If your router doesnít have the latest firmware version, update it through the Linksys Support Site.  To learn how, click here.
 
Step 3:
Once you have verified that the router has the latest firmware, click the Administration tab
NOTE:  If you have upgraded the firmware of the router, access the routerís web-based setup page again then click on the Administration tab.
 
Step 4:
Make sure that the Remote Management option under the Remote Management Access section is set to Disabled.
 
Step 5:
Click the Security tab.
 
Step 6:
Make sure that the Filter Anonymous Internet Requests option under Internet Filter is checked.
 
Step 7:
Click Save Settings.
 
Step 8:
Power cycle the router by unplugging it from the power source then plugging it back in.  This should clear the cache and remove the malware if your router has been infected.

END OF CACHED PAGE from Linksys

 

What to do? 

  • Obtain and apply the patched firmware upgrade ASAP. Monitor the developing situation, as repatching might be required in the near future. As always, there are risks involved when patching router firmware: In rare cases, the router could be rendered inoperable during the process and require factory service.
  • While I'm aware of other mitigating strategies, I deem them unfit for listing here. Those interim conditional sidestepping tricks would rapidly degenerate into endless explanations of prerequisites + disclaimers, and are ultimately ineffective.
  • The only valid solution is to directly address the stem cause: thwart the underlying Linux code base backdoor breach, via firmware patch.   ADDENDUM FEB 12 2015 As of today, 2.0.00 is holding up nicely on a closely monitored e2500. No discernible symptoms. No further field reports raising new concerns.


SEE ALSO:  
vastly expanded on MAR 17, 2015

 

*MITM: Man-In-The-Middle attack. Surreptitiously become a relay, and being able to eavesdrop, record, inject, omit and alter transmissions.

Visions * Integrity * Perspectives Solutions, not products. Expertise, not hype. Rationales, not ideologies.

Copyright @2005-2006   Bravo Technology Center  *  Bravo:GO  *  Contact Us