While Moon’s code appears include strings that point to a command-and-control channel, it doesn’t seem to be in use – so for right now, it’s just moving from machine to machine, making copies of itself. If in the future a CnC channel is activated, it would make for an automatic botnet footprint though.
Ullrich explained in a blog post that upon infection, it initially appears to extract the router hardware version and the firmware revision from the device, using those to download and install the appropriate payload for that particular router, which goes on to look for the next victims. It starts off with a Home Network Administration Protocol (HNAP) request, which allows identification, configuration and management of networking devices like routers. Routers that aren’t configured for remote administration are not susceptible to the attack.
Ullrich said that the worm looks for infectable devices using a list of about 670 different networks that the routers could be connected to. They’re all mainstream cable or DSL modem ISPs in various countries, including Comcast and Charter in the US.
Here’s how it works, according to the SANS Institute: “The worm will connect first to port 8080, and if necessary using SSL, to request the "/HNAP1/" URL. This will return an XML formatted list of router features and firmware versions. Next, the worm will send an exploit to a vulnerable CGI script running on these routers. The request does not require authentication. The worm sends random admin credentials, but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability.”
This second request will launch a simple shell script, which will in turn request the actual worm. The worm is about 2MB in size, and once it runs, the infected router scans for other victims. For each target, a new server with a different port is opened.
Ullrich said that there are several indicators of a compromise to look for, including heavy outbound scanning on port 80 and 8080, and inbound connection attempts to various ports below 1024.
Belkin explained to Infosecurity that the affected user group is narrow and specific: “Linksys is aware of the malware called 'The Moon' that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks."
While Belkin is working on a fix, Ullrich offered some remediation tips: First of all, if a router needs to be administered remotely, restricting access to the administrative interface by IP address will help reduce the risk. Users can also change the port of the interface to something other than 80 or 8080, the attack ports of choice for “Moon landings,” as it were.