UPDATE Mass Exploit Hits Linksys E1000 and E1200 Wireless Routers

Consumers that own one of Linksys’s E1000 or E1200 Wireless-N routers (possibly other models too) should take note that the devices appear to be vulnerable to a mass exploit that compromises the router and then forces it to saturate all of the available bandwidth by scanning port 80 and 8080 as fast as possible.

The situation was first reported by Johannes B. Ullrich, a researcher from the SANS Technology Institute, whom later posted his findings on the related Internet Storm Centre website. Apparently a number of broadband ISP customers in Wyoming (USA) have been compromised by the vulnerability.

The good news is that the latest E1200 firmware (v2.0.06) appears to be immune. The bad news is that the end-of-life E1000 isn’t.

Johannes B. Ullrich said:

As indicators, look for E1000/1200 routers which scan IP addresses sequentially on port 80/8080. Some of the routers may have modified DNS settings to point to Google’s DNS server (8.8.8.8 or 8.8.4.4).

Mercifully the E1000/E1200 series isn’t as popular in the United Kingdom, partly because it lacks a built-in ADSL or VDSL modem, although they are definitely sold over here to home consumers as budget models.

The news comes nearly a month after it was revealed that some models of Cisco, Netgear, Linksys and other routers were vulnerable to another backdoor exploit that allowed a hacker to remotely input their own admin password and possibly gain full access to your network (here).

UPDATE 17th Feb 2014

It’s now been confirmed that a worm called “The Moon” is hitting Linksys routers, possibly including models E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000 and E900 that contain the Home Network Administration Protocol (HNAP1) implementation.

The worm will connect first to port 8080, and if necessary using SSL, to request the “/HNAP1/” URL. This will return an XML formatted list of router features and firmware versions. The worm appears to extract the router hardware version and the firmware revision. After this the exploit begins.

Johannes B. Ullrich said:

Next, the worm will send an exploit to a vulnerable CGI script running on these routers. The request does not require authentication. The worm sends random “admin” credentials but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability.

This second request will launch a simple shell script, that will request the actual worm. The worm is about 2MB in size, samples that we captured so far appear pretty much identical but for a random trailer at the end of the binary. The file is an ELF MIPS binary.

Once this code runs, the infected router appears to scan for other victims. The worm includes a list of about 670 different networks (some /21, some /24). All appear to be linked to cable or DSL modem ISPs in various countries.

An infected router will also serve the binary at a random low port for new victims to download. This http server is only opened for a short period of time, and for each target, a new server with a different port is opened.

So far it’s being called a “worm” because all it does is spread, although a command and control channel could still be hidden. Many of the listed routers are no longer supported and so unlikely to be patched against the exploit, although the newer devices (e.g. E1200) do have firmware that appears to plug the vulnerability.