Self-replicating ‘TheMoon’ worm crawls into Belkin’s Linksys routers

“A self-replicating program is infecting Linksys routers by exploiting an authentication bypass vulnerability in various models from the vendor’s E-Series product line,” Lucian Constantin reports for PCWorld.

“The attacks seems to be the result of a worm—a self-replicating program—that compromises Linksys routers and then uses those routers to scan for other vulnerable devices,” Constantin reports. “‘At this point, we are aware of a worm that is spreading among various models of Linksys routers,’ said Johannes Ullrich, the chief technology officer at SANS ISC, in a separate blog post. ‘We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200b, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900.'”

“The worm…has been dubbed ‘TheMoon’ because it contains the logo of Lunar Industries, a fictitious company from the 2009 movie ‘The Moon,'” Constantin reports. “t’s not clear what the purpose of the malware is other than spreading to additional devices. There are some strings in the binary that suggest the existence of a command-and-control server, which would make the threat a botnet that attackers could control remotely. Linksys is aware of the vulnerability in some E-Series routers and is working on a fix, said Mike Duin, a spokesman for Linksys owner Belkin, in an email Friday.”

Read more in the full article here.


    1. I think you answered your own question. A “niche product” is likely one that does not get the highest level of security scrutiny by Linksys software engineers and so it is more likely to have weak security, not stronger.

  1. I’d be interested in how much memory space this potential bot has to play around in on these routers. Knowing this would help define the capabilities a bot could have.

    Anyway, Linksys does has had plenty of security problems recently! I hope Linksys doesn’t sit on this one. It’s a whopper.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.