Tuesday 18 February 2014

The Moon router worm. Your anti-virus has probably been updated to detect it, but won’t protect you


Moon
Late last week news emerged of a worm that was spreading between Linksys routers.
What’s unusual about the worm, which has been dubbed “The Moon”, is that it doesn’t infect computers. In fact, it never gets as far as your computer.
And that means up-to-date anti-virus software running on your computer isn’t going to stop it. The worm never reaches a device which has anti-virus protection running on it.
And it also means that the worm doesn’t care whether your computer is running Windows, Mac OS X, or a flavour of Unix. It’s irrelevant. Your LinkSys router could still be at risk.
Because the only things that The Moon worm is interested in infecting are Linksys routers – like the one you might use to connect computers in your home or office to the internet – that suffer from an authentication bypass vulnerability.
The self-replicating worm compromises your Linksys router, without needing to know your router’s password, and then uses the device to scan for other vulnerable routers on the internet.
One consequence of this is that a lot of network traffic can be generated by the worm, slowing down internet access.
The following Linksys routers are thought to be vulnerable:
E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N.
Linksys says it is working on a firmware fix for the vulnerability, and that it plans to post it “in the coming weeks”.
Linksys Moon advisory
It is, of course, a race against time as hackers might attempt to exploit the same vulnerability for more obviously malicious purposes. There is already evidence that script kiddies have created working exploits of the vulnerability.
While a proper firmware fix is awaited, Linksys is encouraging owners of Linksys routers to update their firmware to the latest version and disable remote management.
Linksys screenshot
Hmm… wouldn’t it have been better if Linksys had also advised users to choose HTTPS access in that screenshot?
Linksys screenshot
Whatever brand of router you use in your home or small office, you should consider disabling features which might expose you to risk.
For instance, turning off remote administration and limiting access to specific trusted IP addresses can reduce the potential attack surface, and make life much harder for online criminals who may attempt to infiltrate your network.
Furthermore, always be sure to not be using the default passwords which shipped with your router.

No comments:

Post a Comment