Moon worm likely targets HNAP says SANS

Update: Linksys has sent over a statement, which explains that this is an issue, only if remote management is enabled.

“Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default.

“Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.”

SANS has provided additional details on a worm called Moon, which was observed spreading between Linksys devices last week. According to research, it’s been suggested that the exploited vulnerability is part of HNAP.

In an update to the original blog post, Johannes Ullrich, added the following:

“The initial request sent by the exploited routers if they find port 80 or 8080 open is GET /HNAP1/. HNAP is a REST based web service that can be used to administer these routers. It is possible that the exploited vulnerability is part of HNAP (it had problems in the past), or that HNAP is just used to fingerprint the router to select the right exploit to send.”

On Saturday, SANS offered additional insight into ‘Moon’ and HNAP; noting that it’s a network device management protocol that’s mainly used by ISPs. It was created by Pure Networks, and subsequently acquired by Cisco in 2009. SANS has two additional reports on the ‘Moon’ worm and HNAP, which can be viewed here and here.

The issue has grown however, and not because of the updates from SANS. The exploit code needed to replicate the attack conducted by the ‘Moon’ worm has been published online to exploit-db.com. While functional, the exploit code currently works over LAN. That code advances the work done by researchers on Reddit, who explored the issue in order to develop proof-of-concept code.

On Reddit, the concept code’s author noted that it was crippled, because they “did not want to hand out free candy to scrublords,” but added that “anyone with half a brain” would be able to get it fully functional.

The published exploit code lists the E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N, and WRT150N, as potential targets.

The issue is worth investigating if any of those devices are on your network. According to Cisco, if the web guide user interface of the router “is configured to only use HTTPS, HNAP will be disabled.”