UPDATE (February 15, 2014): Update on the Linksys Router Worm, a Fix, and Further Actions
According to a post on the Internet Storm Center, a self-replicating worm is actively attacking specific models of Linksys routers common to home and small business use. Depending on the firmware version installed, the following routers are vulnerable:
- E4200
- E3200
- E3000
- E2500
- E2100L
- E2000
- E1550
- E1500
- E1200
- E1000
- E900
These are the currently known vulnerable router models, but the list may expand as more details are made available.
Dubbed "TheMoon" worm, it connects to port 8080 and then runs a CGI script running on the router. Once the exploit is able to connect successfully, it then downloads a 2MB file from the Internet that then executes and scans for other potential victims on which to install.
So far, the worm hasn't been identified to do anything else by just proliferate itself, but that could change depending on evidence of an additional payload.
More info when it's available.
