According to the recent security report a worm named “MOON” is spreading in to various Linksys routers like a wild fire. This worm can infect routers without acquiring or requiring password. Infected machine then uses maximum bandwidth to scan for other routers which are vulnerable and can be preyed upon.  The predatory worm “MOON” uses Port 80 and Port 800 to scan for other  vulnerable routers to spread itself. As already said above, this worm is so dangerous that it does not require any authentication and sends out random “Admin” credentials which are hooked up by the prey.

This attack was discovered by an ISP in Wyoming, USA.  When the users discovered it they thought that only few number of routers were susceptible to it but later on it became known that the worm is predatory in nature and almost all Linksys routers are vulnerable.  After the discovery, it was noticed that the “MOON” worm is spreading to various other models of Linksys routers.  As of now the model number or the quantity of Linksys routers infected by ‘Moon’ is not clear but the Linksys officials said in a presser that the vulnerability may spread depending upon the firmware version.  Linksys described following model as highly vulnerable to the ‘Moon’ worm : E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900.

Due to this worm an infected router’s HTTP server is opened only for a short period of time and for each target a new server with different port is opened.

Moon Worm Infects Thousands Of LinkSys Routers, spreading from one to another.
Image Credits :

Johannes Ullrich of the Internet Storm Centre who is studying this particular worm,  says that “This may be a ‘bot’ if there is a functional command and control channel present”.

Many routers have come under scrutiny from security researchers in the past year, after a series of demonstrations showed ways to break into the devices.

Many routers of popular Router brands like Linksys and Netgrear are found to be particularly vulnerable to a “backdoor”, or a gap in layman terms, which allows the would be hacker/attacker to access routers admin panel. The attacker can then set and reset the router switching based on his/her preference to create a create an wireless access point. Once the WAP is created, the hacker/attacker has unhindered access but the only requirement for this backdoor to work is that this backdoor requires that the attacker to be on the same local network.

This backdoor was discovered by French researcher Eloi Vanderbeken who claimed that he found this backdoor by accident, while he was checking his family’s home router, noticing that the router was ‘listening’ for commands via a TCP port. Vanderbeken was able to use this to gain administrator privileges and reset the password. Last year various D-Link routers were vulnerable to serious backdoor breaches which cut down the sales of various D-Link routers.