Home
 » ISP News » 
Sponsored

UPDATE Mass Exploit Hits Linksys E1000 and E1200 Wireless Routers

Thursday, February 13th, 2014 (7:50 am) - Score 2,414
security_broadband_isp_routers

Consumers that own one of Linksys’s E1000 or E1200 Wireless-N routers (possibly other models too) should take note that the devices appear to be vulnerable to a mass exploit that compromises the router and then forces it to saturate all of the available bandwidth by scanning port 80 and 8080 as fast as possible.

The situation was first reported by Johannes B. Ullrich, a researcher from the SANS Technology Institute, whom later posted his findings on the related Internet Storm Centre website. Apparently a number of broadband ISP customers in Wyoming (USA) have been compromised by the vulnerability.

The good news is that the latest E1200 firmware (v2.0.06) appears to be immune. The bad news is that the end-of-life E1000 isn’t.

Johannes B. Ullrich said:

As indicators, look for E1000/1200 routers which scan IP addresses sequentially on port 80/8080. Some of the routers may have modified DNS settings to point to Google’s DNS server (8.8.8.8 or 8.8.4.4).

Mercifully the E1000/E1200 series isn’t as popular in the United Kingdom, partly because it lacks a built-in ADSL or VDSL modem, although they are definitely sold over here to home consumers as budget models.

The news comes nearly a month after it was revealed that some models of Cisco, Netgear, Linksys and other routers were vulnerable to another backdoor exploit that allowed a hacker to remotely input their own admin password and possibly gain full access to your network (here).

UPDATE 17th Feb 2014

It’s now been confirmed that a worm called “The Moon” is hitting Linksys routers, possibly including models E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000 and E900 that contain the Home Network Administration Protocol (HNAP1) implementation.

The worm will connect first to port 8080, and if necessary using SSL, to request the “/HNAP1/” URL. This will return an XML formatted list of router features and firmware versions. The worm appears to extract the router hardware version and the firmware revision. After this the exploit begins.

Johannes B. Ullrich said:

Next, the worm will send an exploit to a vulnerable CGI script running on these routers. The request does not require authentication. The worm sends random “admin” credentials but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability.

This second request will launch a simple shell script, that will request the actual worm. The worm is about 2MB in size, samples that we captured so far appear pretty much identical but for a random trailer at the end of the binary. The file is an ELF MIPS binary.

Once this code runs, the infected router appears to scan for other victims. The worm includes a list of about 670 different networks (some /21, some /24). All appear to be linked to cable or DSL modem ISPs in various countries.

An infected router will also serve the binary at a random low port for new victims to download. This http server is only opened for a short period of time, and for each target, a new server with a different port is opened.

So far it’s being called a “worm” because all it does is spread, although a command and control channel could still be hidden. Many of the listed routers are no longer supported and so unlikely to be patched against the exploit, although the newer devices (e.g. E1200) do have firmware that appears to plug the vulnerability.

Leave a Comment
0 Responses

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Vodafone £21.95 (*24.95)
    Speed 35Mbps, Unlimited
    Gift: None
  • NOW £22.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • TalkTalk £22.00 (*29.95)
    Speed 38Mbps, Unlimited
    Gift: None
  • Hyperoptic £22.00
    Speed 50Mbps, Unlimited
    Gift: None
  • Shell Energy £22.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: 12 Months of Norton 360
Large Availability | View All
Cheapest Ultrafast ISPs
  • Community Fibre £20.00 (*29.50)
    Speed: 150Mbps, Unlimited
    Gift: Double Speed Boost
  • Virgin Media £25.00 (*51.00)
    Speed: 108Mbps, Unlimited
    Gift: None
  • Vodafone £25.00 (*28.00)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Gigaclear £29.00 (*49.00)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Hyperoptic £29.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3296)
  2. BT (2957)
  3. Building Digital UK (1866)
  4. FTTC (1861)
  5. Politics (1850)
  6. Openreach (1772)
  7. Business (1614)
  8. Mobile Broadband (1397)
  9. Statistics (1366)
  10. FTTH (1361)
  11. 4G (1208)
  12. Fibre Optic (1137)
  13. Wireless Internet (1124)
  14. Virgin Media (1112)
  15. Ofcom Regulation (1108)
  16. Vodafone (797)
  17. EE (797)
  18. TalkTalk (740)
  19. Sky Broadband (720)
  20. 5G (691)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact