Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 03 Sep 2014, 04:00
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Linksys Worm "TheMoon"
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [1 Post]  
Author Message
NickAu


Joined: 30 Dec 2013
Posts: 186
Location: Far North Coast NSW ɹǝpunuʍop

PostPosted: Tue 25 Feb 2014, 23:52    Post subject:  Linksys Worm "TheMoon"  

Quote:
At this point, we are aware of a worm that is spreading among various models of Linksys routers. We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900

The worm will connect first to port 8080, and if necessary using SSL, to request the "/HNAP1/" URL. This will return an XML formatted list of router features and firmware versions. The worm appears to extract the router hardware version and the firmware revision. The relevant lines are:

<ModelName>E2500</ModelName>
<FirmwareVersion>1.0.07 build 1</FirmwareVersion>

(this is a sample from an E2500 router running firmware version 1.0.07 build 1)

Next, the worm will send an exploit to a vulnerable CGI script running on these routers. The request does not require authentication. The worm sends random "admin" credentials but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability.

This second request will launch a simple shell script, that will request the actual worm. The worm is about 2MB in size, samples that we captured so far appear pretty much identical but for a random trailer at the end of the binary. The file is an ELF MIPS binary.

Once this code runs, the infected router appears to scan for other victims. The worm includes a list of about 670 different networks (some /21, some /24). All appear to be linked to cable or DSL modem ISPs in various countries.

An infected router will also serve the binary at a random low port for new victims to download. This http server is only opened for a short period of time, and for each target, a new server with a different port is opened.

We do not know for sure if there is a command and control channel yet. But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie "The Moon" which we used as a name for the worm.

We call this a "worm" at this point, as all it appears to do is spread. This may be a "bot" if there is a functional command and control channel present.

Indicators of compromisse:

- heavy outbound scanning on port 80 and 8080.
- inbound connection attempts to misc ports < 1024.


Detecting potentially vulnerable system:

echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080

if you get the XML HNAP output back, then you MAY be vulnerable.


Source
https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633

_________________
Precise Puppy 5.7.1 Retro Fatty Edition. Hp Compaq 2510p 2x Intel(R) Core(TM) 2 Duo Cpu U7700@ 1.33 ghz,2 gig ram Booting from 8 gig micro USB + 32 gig SD card instead of HDD
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [1 Post]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.2415s ][ Queries: 11 (0.1481s) ][ GZIP on ]