The Moon router worm. Your anti-virus has probably been updated to detect it, but won’t protect you


MoonLate last week news emerged of a worm that was spreading between Linksys routers.

What’s unusual about the worm, which has been dubbed “The Moon”, is that it doesn’t infect computers. In fact, it never gets as far as your computer.

And that means up-to-date anti-virus software running on your computer isn’t going to stop it. The worm never reaches a device which has anti-virus protection running on it.

And it also means that the worm doesn’t care whether your computer is running Windows, Mac OS X, or a flavour of Unix. It’s irrelevant. Your LinkSys router could still be at risk.

Because the only things that The Moon worm is interested in infecting are Linksys routers - like the one you might use to connect computers in your home or office to the internet - that suffer from an authentication bypass vulnerability.

The self-replicating worm compromises your Linksys router, without needing to know your router’s password, and then uses the device to scan for other vulnerable routers on the internet.

One consequence of this is that a lot of network traffic can be generated by the worm, slowing down internet access.

The following Linksys routers are thought to be vulnerable:

E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N.

Linksys says it is working on a firmware fix for the vulnerability, and that it plans to post it “in the coming weeks”.

Linksys Moon advisory

It is, of course, a race against time as hackers might attempt to exploit the same vulnerability for more obviously malicious purposes. There is already evidence that script kiddies have created working exploits of the vulnerability.

While a proper firmware fix is awaited, Linksys is encouraging owners of Linksys routers to update their firmware to the latest version and disable remote management.

Linksys screenshot

Hmm… wouldn’t it have been better if Linksys had also advised users to choose HTTPS access in that screenshot?

Linksys screenshot

Whatever brand of router you use in your home or small office, you should consider disabling features which might expose you to risk.

For instance, turning off remote administration and limiting access to specific trusted IP addresses can reduce the potential attack surface, and make life much harder for online criminals who may attempt to infiltrate your network.

Furthermore, always be sure to not be using the default passwords which shipped with your router.

Tags: , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

7 Responses

  1. Andrew Downes

    February 18, 2014 at 10:52 am #

    So, I use a Samknows monitor device which uses custom firmware on a Linksys router. Is it vulnerable, how would I know?

  2. Flying Dutchman

    February 18, 2014 at 12:58 pm #

    I’m shocked to read this. And hey - I would not be surprised to see a sudden, coordinated attack taking place at short notice, now that the word is out, only to bring a large portion of Western internet traffic to a grinding halt. This is even fancier / easier to the jerks out there, than a DDoS attack can ever be. Could it be state sponsored, I’m asking myself.

    And yes, it is painful to see that HTTP enabled.


    Some people will never learn from their mistakes.

    • Jesse S in reply to Flying Dutchman.

      February 19, 2014 at 4:57 pm #

      The reason HTTP is enabled by default is because most routers don’t ship with a proper SSL Cert, so using HTTPS would mean relying on the local self-signed certificate, which is not something they want the average user to work on.

    • CSev in reply to Flying Dutchman.

      June 15, 2015 at 4:48 pm #

      I know it’s an old post, but nonetheless, HTTPS provides security against man-in-the-middle attacks.
      If it’s at the point where someone has access to the traffic between you on your local network and your router (which likely involves hardware access), someone trying to change your router’s settings is the least of your problems.

      As long as external access is disabled HTTPS will not give you much security, if any at all. Of course it’s an entirely different story for remote-access, which should only be enabled through HTTPS, even a self-signed certificate is better than none there.

  3. Ganesh Pandian

    July 23, 2014 at 4:54 am #

    Not just Linksys ones, mine are Beetel 450TC2 and I am also having the same issue. This appears only when connected to my home Broadband connection.

  4. Bobby

    February 14, 2015 at 5:04 am #

    This thing got into my Linksys EA2700. Maybe coincidentally, but I attempted to download the “adobe” update and the problems ensued. Continued pop-ups, “unauthorized access” warning pages with actual phone numbers to call, mouse will not work on most links on webpages, windows defender got shut down and I can not get it back, I can not log on as the administrator unless in “safe mode”. I finally read where this virus affected my Linksys router. So I deleted Cisco Connect from my PC and tried to re-install the router and update the firmware. My computer went into a “4th of July” mode with ALL (I had about 7 or 8 pages open) the pages flashing at the speed of light, trying to reload the browser. I finally got it to shut down and rebooted, but I am at a loss. My router is connected again but with very little signal strength. However, the “guest router” (which I didn’t even know I had) has full signal. Anyone got any ideas. I’m thinking “new” router. Bobby

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.