Router Vulnerability - The Moon
Published: September 5, 2014
LAST REVISED: SEP 11 2014
plus various minor addenda thru-out the page
During the investigation of a reported adware phishing pop-up
incident, which persisted and recurred even after removal of a relevant browser
add-on, I noticed an anomaly: the DHCP station was not using DNS server from the
ISP (Earthlink, in this case). Close examination revealed that their router settings contained
unauthorized alterations. Further digging led me to an official
announcement from Linksys about a breach to their products.
- First announced and acknowledged by the vendor in
- It was discovered by a French "hacker" Eloi Vanderbeken, and
subsequently reported by American researcher Johannes B. Ullrich at SANS
InfoSec in January 2014.
- A worm named "The Moon" has been "in the wild"
targeting Linksys routers.
- It exploits a vulnerability in those Linux-based router's CGI script,
which enables the worm to commandeer
the router without login credentials.
- It performs scans and attempts to infect other devices/hosts,
which at times, generates such saturated WAN traffic on port 80 and
8080 that it
renders the outbound ISP connection practically unusable.
- It modifies the router DHCP Server entries to direct clients to
a rotating group of rogue DNS servers, achieving DNS hijack for phishing
and MITM* attacks.
- From time to time, it curiously points users to the
126.96.36.199 DNS server
operated by Google. The exact purposes and intends are unclear at
- Linksys Officially stated affected models:
E4200, E3200, E3000, E2500,
E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N,
WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N,
WRT320N, WRT160N and WRT150N
- I personally strongly suspect that the EA series,
while notably omitted, is also similarly affected. Likewise
for Belkin and Netgear.
NOV 5 2014
CONFIRMED POSITIVE! Refer to "SEE ALSO" section at bottom for
relevant links re: EA (Smart wifi) series..
Practical Consequences & Implications
- Internet performance degradation, with no apparent
- Serious potential leak of confidential info/data:
- your web site login name and passwords could be captured by
- even your so-called "secure SSL sessions" via https protocol
(including online banking) could be useless, as you're actually
encrypting with the "middleman," who can decrypt everything, and
relay it to your intended destinations.
- Note: the point of infiltration and infestation is at the
router, but the symptoms are manifest at the workstations, e.g.
surreptitiously injected content (such as pop-up messages and
banners, audio streams), purportedly from the legitimate sites
SANS InfoSec initial report:
Linksys addressing this breach in a knowledge base article:
An excerpt of the Linksys kb article is cached here
for redundancy and archival purposes,
captured by Bravo on Sep. 5, 2014:
For historical reference only!
NOT a valid guide for remedy!
How to prevent your Linksys router from getting The Moon
Linksys is aware of the malware called The Moon that has affected
select older Linksys Wi-Fi Routers and Wireless-N access points
and routers. We will be working on the affected products with a
firmware fix that is planned to be posted on our website in the
What is The Moon malware?
malware bypasses authentication on the router by logging in
without actually knowing the admin credentials. Once infected,
the router starts flooding the network with ports 80 and 8080
outbound traffic, resulting in heavy data activity. This can be
manifested as having unusually slow Internet connectivity on all
What should I do to prevent this malware from
infecting my router?
There are several steps on how to
prevent The Moon malware from infecting your network. Follow the
steps below to learn how:
Access the routerís web-based setup page. To learn
. If youíre using a Macģ computer, click
Verify if your Linksys router
has the latest firmware. The current firmware version can be
seen in the upper-right corner of the web-based setup page.
If your router doesnít have the latest firmware version,
update it through the Linksys Support Site. To learn how,
Once you have verified that the router has the
latest firmware, click the Administration tab
NOTE: If you have upgraded the firmware of the router, access
the routerís web-based setup page again then click on the
Make sure that the
Remote Management option under the Remote Management Access
section is set to Disabled.
Click the Security tab.
Make sure that the Filter Anonymous Internet
Requests option under Internet Filter is checked.
Click Save Settings.
Power cycle the router by unplugging it from the power source
then plugging it back in. This should clear the cache and
remove the malware if your router has been infected.
END OF CACHED PAGE from Linksys
What to do?
- Obtain and apply the patched firmware upgrade ASAP. Monitor the
developing situation, as repatching might be required in the near
future. As always, there
are risks involved when patching router firmware: In rare cases, the
router could be rendered inoperable during the process and require
- While I'm aware of other mitigating strategies, I deem them
unfit for listing here. Those interim conditional
sidestepping tricks would rapidly degenerate into endless
explanations of prerequisites + disclaimers, and are ultimately
- The only valid solution is to directly address the stem cause:
thwart the underlying Linux code base backdoor breach, via firmware
12 2015 As of today, 2.0.00 is holding
up nicely on a closely monitored e2500. No discernible symptoms. No
further field reports raising new concerns.
SEE ALSO: vastly expanded on
MAR 17, 2015
*MITM: Man-In-The-Middle attack. Surreptitiously become a relay, and
being able to eavesdrop, record, inject, omit and alter transmissions.