“A self-replicating program is infecting Linksys routers by exploiting an authentication bypass vulnerability in various models from the vendor’s E-Series product line,” Lucian Constantin reports for PCWorld.
“The attacks seems to be the result of a worm—a self-replicating program—that compromises Linksys routers and then uses those routers to scan for other vulnerable devices,” Constantin reports. “‘At this point, we are aware of a worm that is spreading among various models of Linksys routers,’ said Johannes Ullrich, the chief technology officer at SANS ISC, in a separate blog post. ‘We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200b, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900.'”
“The worm…has been dubbed ‘TheMoon’ because it contains the logo of Lunar Industries, a fictitious company from the 2009 movie ‘The Moon,'” Constantin reports. “t’s not clear what the purpose of the malware is other than spreading to additional devices. There are some strings in the binary that suggest the existence of a command-and-control server, which would make the threat a botnet that attackers could control remotely. Linksys is aware of the vulnerability in some E-Series routers and is working on a fix, said Mike Duin, a spokesman for Linksys owner Belkin, in an email Friday.”
Read more in the full article here.