Last week, researchers at the SANS Institute’s Internet Storm Center discovered a new worm that affects multiple Linksys router models. Named “The Moon,” the worm takes advantage of a CGI script vulnerability located in the administration interface on routers that have remote management access enabled.
Linksys has since posted steps on how to mitigate the threat here. Excellent analyses have also been posted by SANS researcher Johannes Ullrich, here and here. Highlights include details on The Moon’s worming behavior and speculation as to whether it has bot capabilities as well. Researchers are currently investigating whether the malware connects to a command and control channel.
A Bad Connection
Yesterday, reports emerged about another router exploit, this time leveraging an ASUS vulnerability that was publically disclosed a full 8 months ago. Once again, this exploit targets routers that have remote web access enabled, through a service ASUS calls AiCloud. The vulnerability allows attackers to gain direct access to any storage device connected to the router by USB.
ASUS users have been discovering that they are affected by way of an almost comical .txt file dropped on all vulnerable devices:
"This is an automated message being sent out to everyone effected. Your ASUS router (and your documents) can be accessed by anyone in the world with an internet connection. You need to protect yourself and learn more by reading the following news article:
Below is a list of all vulnerable IP addresses that have been leaked. If you are reading this, YOU ARE VULNERABLE TOO:
Solution: COMPLETELY DISABLE ‘FTP’ and ‘AICLOUD’, IMMEDIATELY.
I hope we helped.
While the ‘news’ article is currently unavailable, the Pastebin entry contains a list of over 13,000 apparently vulnerable IP addresses.
The alert-like nature of this message suggests that whoever is behind this exploit may indeed be a good guy, working in anonymity and simply trying to provide any lagging ASUS users with a much needed wake-up call to update their firmware. That The Moon exploit is so similarly innocuous – apparently only redirecting to an IP address used by Google’s DNS service, and even disappearing after router reboot – suggests a similarly minded agent. It could indeed be that this week’s exploits are merely friendly reminders to update, or else.
The Malicious Side of Things
Then again, there very well could be a dark underside to each vulnerability. As much as The Moon could be a playful warning, it could also be an act of experimentation, meant to feel out what is possible in a future attack. In the case of ASUS, initial reports have also pointed to a deep web torrent link containing over 10,000 lists of files that can be found on ASUS linked storage devices. Regardless of who is behind these router exploits and what their intentions may be, it is quite clear that the threat of compromised personal or financial information does exist. In fact, researchers at CERT Polska recently demonstrated exactly how this could be done in a detailed report on home router vulnerabilities and DNS redirection.
Recommended Steps to Threat Mitigation
- Linksys users can find detailed Moon prevention steps in this official Linksys statement.
- ASUS has yet to release an official statement, however updates for the 8 month old vulnerability can be found here.
If you need assistance with either one of these issues, Emsisoft support would be glad to help. Users running other types of routers are also encouraged to update their firmware, disable remote access, and ensure passwords and usernames have been changed from default factory settings.
Have a Great (Malware-Free) Day!