Archive for February 16th, 2014

Linksys TheMoon” Worm – Impactis vulnerable firmware

The ISC has several informative links on a new LinkSys router worm that is spreading to various models with vulnerable firmware.  So far this new proof-of-concept attack only spreads to vulnerable device but does not appear to compromise data or PC

https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633

https://isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630

https://isc.sans.edu/diary/More+on+HNAP+-+What+is+it%2C+How+to+Use+it%2C+How+to+Find+it/17648

QUOTE: At this point, we are aware of a worm that is spreading among various models of Linksys routers. We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900.  The worm will connect first to port 8080, and if necessary using SSL, to request the “/HNAP1/” URL. This will return an XML formatted list of router features and firmware versions.

Next, the worm will send an exploit to a vulnerable CGI script running on these routers. The request does not require authentication. The worm sends random “admin” credentials but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability. This second request will launch a simple shell script, that will request the actual worm. The worm is about 2MB in size, samples

Once this code runs, the infected router appears to scan for other victims. The worm includes a list of about 670 different networks (some /21, some /24). All appear to be linked to cable or DSL modem ISPs in various countries. An infected router will also serve the binary at a random low port for new victims to download. This http server is only opened for a short period of time, and for each target, a new server with a different port is opened. Indicators of compromisse: (1) heavy outbound scanning on port 80 and 8080 … (2) inbound connection attempts to misc ports < 1024.

Microsoft Security Updates – February 2014

Critical Security updates to Microsoft Windows, IE, Framework and other products became available on Patch Tuesday.  Users should promptly update to enjoy best levels of protection.  The Internet Storm Center has a “PATCH NOW” rating on IE due to zero day attacks circulating in the wild.

http://technet.microsoft.com/en-us/security/bulletin/ms14-Feb

https://isc.sans.edu/diary/February+2014+Microsoft+Patch+Tuesday/17615