Self-replicating Worm Actively Attacking Linksys Routers

Self-replicating Worm Actively Attacking Linksys Routers

UPDATE (February 15, 2014):  Update on the Linksys Router Worm, a Fix, and Further Actions

According to a post on the Internet Storm Center, a self-replicating worm is actively attacking specific models of Linksys routers common to home and small business use. Depending on the firmware version installed, the following routers are vulnerable:

  • E4200
  • E3200
  • E3000
  • E2500
  • E2100L
  • E2000
  • E1550
  • E1500
  • E1200
  • E1000
  • E900

These are the currently known vulnerable router models, but the list may expand as more details are made available.

Dubbed "TheMoon" worm, it connects to port 8080 and then runs a CGI script running on the router. Once the exploit is able to connect successfully, it then downloads a 2MB file from the Internet that then executes and scans for other potential victims on which to install.

So far, the worm hasn't been identified to do anything else by just proliferate itself, but that could change depending on evidence of an additional payload.

More info when it's available.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish