Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mass Exploit of Linksys Routers


  • Please log in to reply
8 replies to this topic

#1 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:54 AM

Posted 22 February 2014 - 06:50 PM

It has been revealed that a vulnerability in possibly 23 different models of Linksys (Belkin) routers has been exploited by a worm known as The Moon.

 

The exploit was first noticed about a week ago and reported by the Internet Storm Center. The Worm bypasses authentication on the router to take control. Linksys state that "the router starts flooding the network with ports 80 and 8080 outbound traffic, resulting in heavy data activity". The worm also attempts to detect any vulnerable systems on the router's network for exploitation.

 

Current intentions of The Moon are not yet known, however, there is code within the worm which seems to suggest that it may be gathering infected routers into a network of compromised devices through a command and control system.

 

Linksys will be issuing a firmware update to fix the vulnerability in the next few weeks. But for now, if you're using a Linksys router, you should read the advice given here to disable Remote Access Management.

 

Source: http://www.bbc.co.uk/news/technology-26287517


If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:54 AM

Posted 22 February 2014 - 07:03 PM

Thank you for this, I shared it with my CYBR 650 class which is discussing Firewalls now.

#3 Casey_boy

Casey_boy

    Bleeping physicist

  • Topic Starter

  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:54 AM

Posted 22 February 2014 - 07:06 PM

No problem :)


If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:54 AM

Posted 22 February 2014 - 07:09 PM

I wonder how long before people of a certain mindset start to accuse the US Government of such dealings.

#5 Casey_boy

Casey_boy

    Bleeping physicist

  • Topic Starter

  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:54 AM

Posted 22 February 2014 - 07:14 PM

You mean something like this: https://www.schneier.com/blog/archives/2014/01/headwater_nsa_e.html :whistle:


If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:54 AM

Posted 22 February 2014 - 07:17 PM

Yup unfortunately

#7 czarboom

czarboom

  • Members
  • 608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Texas
  • Local time:06:54 AM

Posted 23 February 2014 - 01:49 AM

According to Security Watch at PCMag the following products are effected

E300, E900, E1000, E1200, E1500, E1550, E2000, E2100L, E2500, E3000, E3200, E4200, WAG320N, WAP300N, WES610N, WAP610N, WRT610N, WRT400N, WRT600N, WRT320N, WRT160N, and WRT150N.

 

If your one of the above routers do the following

  • Access the router’s web-based setup page.
  • Verify if your Linksys router has the latest firmware. Go to Linksys support site to check.
  • Make sure that the Remote Management option under the Remote Management Access section is set to Disabled.
  • Click the Security tab.
  • Make sure that the Filter Anonymous Internet Requests option under Internet Filter is checked.
  • Click Save Settings.
  • Powercycle the router by unplugging it from the power source then plugging it back in.  This should clear the cache and remove the malware if your router has been infected.

Its also a good practice to set firewall rules to block inbound connections. 
 

Depending on your OS you can check to see if your infected with the following command

echo [-e] “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080

If you receive an XML HNAP reply, you are likely to be victimized for the worm affecting Linksys devices and some preventive measures are to be taken. Also keep an eye on the logs of port 80 and 8080.

 

Above is from Sudhir K Bansal via TheHackerNews.  Read the full report here.

 

User with handle of Rew on Redit posts the .cgi that SANS wouldnt talk about.  See his orgional Post here.

Here is the Proof of Concept Report here.

 

Also from CERT, there is a duel DNS redirrect reported on the same routers, and iOS including phones, while this is at banks in eroupe I would check it on your router as well.

DNS Router Redirect

 

To add to the orgional Post,  Here are some SANS updates

The Moon Captured

List of currently known IPs (moonnets)

 

Non-SANS info for phones

Using Android Phones on your Router

 

UPDATE:

For use in Windows to test to see if your router has been compromised open a command prompt.  To do this,

Go to Start, in the run box type CMD

the correct ping echo syntax is this: (just copy and paste)

 

ping echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" ' nc routerip 8080

 

Same response as above means infection, if you get

"Ping could not find the host"

then you SHOULD be in the clear.  If your infected follow the above steps to get by until Linksys puts out a patch.

Sorry about that, been a long day. 


Edited by czarboom, 23 February 2014 - 02:41 AM.

CZARBOOM 
 
"Never Stop Asking Questions, Question Your Environment, Question Your Government, above all Question Yourself.  We all lose when you Stop asking Why?

#8 BKSeoul

BKSeoul

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX
  • Local time:06:54 AM

Posted 25 February 2014 - 02:37 PM

Can;t remember if I have a linksys at home or not.  Will have to check this evening.


Edited by BKSeoul, 25 February 2014 - 02:37 PM.


#9 czarboom

czarboom

  • Members
  • 608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Texas
  • Local time:06:54 AM

Posted 25 February 2014 - 11:09 PM

OK,

So it’s been a few days, and I just looked at the ping echo command and know I know what I did wrong. Neither above will work without NetCat installed on your Windows computer, both

should work in linix and Unix environments. To get NetCat search for the terms

 

"NetCat for windows", or "Cygwin for windows" or go to www.securityfocus.com and search for Netcat there. 

 

After you install follow the directions for using in windows for the first time.

 

Now the command

 

echo [-e] “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080

 

Will work.  If you get an error

 

local listen fuxored: INVAL

 

run with -L option or \L option at the end of the phrase test\r\n\r\n\l"  (I used -L or \L to show you it’s not a i)  but its lowercased.

 

Another option if you don’t want to download or install a program, you can enable telnet in windows.  To do that.

  • Go to Control Panel, and Uninstall programs.
  • On the left side click

"Turn Windows features on or off". 

  • Find telnet client and server and turn them on (you should only need the client) just turn it off later.
  • Now go to telnet and run it.  To do that

Go to Start

run

type telnet and hit ENTER.

Then you need the file path, so

click file, open and look at the file path, REMEMBER THAT.

  • Now go to Command Prompt.
    • Start
    • Run
    • Type CMD

Now you can use some commands that do the same thing, or should depending on your set up firewall etc.

 

To use these you need to first change the directory with the cd command

Type

cd C:\ in the window

 

Now you can use the below commands.  Most should work if not check your firewall and antivirus for blocking of telnet.

Hope this helps clear things up.  Also new info from SANS is located here.

 

Commands in CMD

 

c:\(path that telnet is located in)\> telnet routerip 8080[enter]  also try C:\>(path telnet is located in)\telnet (or telnet.exe) routerip 8080 [enter]  Items in (   ) are notes not actual text.

 

GET /HNAP1/ HTTP/1.1[enter]

Host: test[enter]

[enter]


CZARBOOM 
 
"Never Stop Asking Questions, Question Your Environment, Question Your Government, above all Question Yourself.  We all lose when you Stop asking Why?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users