Wireless routers have become a fairly common accessory for users at home and at office both. But if you have a Linksys router at either of the two places, you may be in trouble. A malware is currently targeting specific Linksys models.
Apparently, the Linksys routers that are vulnerable to this particular malware include Linksys E1000, E1200 and E2400. The malware starts its work by first requesting the model and firmware version of a given router through Home Network Administration Protocol (HNAP). Once it receive this information, the malware then sifts through it and sees if the said model is vulnerable.
It then sends a CGI script exploit to the router which is then able to break through the router’s security and get local command execution access. The malware is being called ‘The Moon’ and was first spotted by security researcher Johannes B. Ullrich.
For now, it is unclear as to what this malware aims to accomplish. It hasn’t committed any suspicious activity on the routers it has infected so far. Perhaps, the author of the malware aims to infect as many routers as possible before activating it and wrecking damage on the compromised devices.
If you have a Linksys router and need to check whether or not the said malware has infected it, run this command:
echo [-e] “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080
If the command returns XMP HNAP, this may mean that your router has been compromised by ‘The Moon.’ Another indicator of the presence of this worm could be heavy traffic on port 80 and 8080. If you suspect either of this is true, disable Remote Administration on your router and immediately limit the router’s activity to a few trusted IP address.
Source: Johannes B. Ullrich