Linksys home routers targeted and compromised in active campaign

A yet undetermined vulnerability affecting certain Linksys WiFi routers is being actively and massively exploited in the wild to infect the devices with a worm dubbed “TheMoon”, warns SANS senior instructor and ISC researcher Johannes Ullrich.

His and his colleagues’ investigation started after they were notified by a Wyoming-based ISP that some of its customers have had their Linksys routers and home networks compromised in the last few days.

“The routers, once compromised, scan port 80 and 8080 as fast as they can (saturating bandwidth available),” he explained in a post, adding that some of the routers may have had their DNS settings modified to point to Google’s DNS server.

“It is not clear which vulnerability is being exploited, but [the ISP administrator] eliminated weak passwords.”

So far, it seems that the exploit doesn’t work against Linksys’ E1200 routers with the latest firmware, but E1000 routers are vulnerable, even if they have the latest firmware.

The worm also attempts to download a “second stage” binary, which includes a set of hard-coded netblocks (probably blocks it scans) and likely instructions for contacting C&C servers. Other files are also ultimately downloaded.

Commenters have speculated that a remote command injection vulnerability might have been misused in the attacks. Also, that the routers’ DNS settings are modified to assist in MitM attacks, ultimately leading to financial theft.

Much is yet unknown about the situation, and while the researchers are delving into it, it might be a good idea to update your router’s firmware and, if you know how, to switch off its remote administration capacity.


“Linksys is aware of the malware called ‘The Moon’ that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the feature turned off by default,” the company has commented the discovery.

“Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled it can prevent further vulnerability to their network, by disabling it and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.”

Don't miss