Johannes B, a security researcher from the SANS has posted a warning for useres about a self-replicating malware named “The Moon”has been exploiting authentication bypass and code-execution vulnerabilities on Linksys routers – E1000 & E1200 wireless routers.How does it work ?
The malware remotely calls Home Network Administration Protocol (HNAP), allows identification, configuration and management of networking devices. Malware verifies the model and firmware version of the router using HNAP. If the version is vulnerable, then the malware sends an exploit to get the command execution access to the device.
“The routers, once compromised, scan port 80 and 8080 as fast as they can (saturating bandwidth available),” he explained in a post, adding that some of the routers may have had their DNS settings modified to point to Google’s DNS server.
Belkin, Linksys company has confirmed that this vulnerability existed on its routers and the exploit if available online.
How to Verify the vulnerability :
To verify that your device is vulnerable or not, use following command :
echo [-e] “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080
If you receive an XML HNAP reply, you are likely to be victimized for the worm affecting Linksys devices and some preventive measures are to be taken. says thehackernews
Recommendation :
However if the version was updated this attack will not e successful. The users who have not enabled the Remote Management Access feature are not susceptible to this specific malware.
“Customers who have enabled it can prevent further vulnerability to their network, by disabling it and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.“ – Linksys noted
