‘The Moon’ Worm Affecting Linksys, SMB Routers; Linksys Say Fix Coming

February 18, 2014 Updated: July 18, 2015

A self-replicating worm dubbed “TheMoon” has victimized a number of routers–primarily spreading between Linksys devices.

The worm does not infect computers–only routers, meaning that anti-virus software can’t do anything about it. It also doesn’t matter what kind of operating system you’re running.

The Internet Storm Center recently issued a post about the worm.

“At this point, we are aware of a worm that is spreading among various models of Linksys routers. We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900,” it reads.

It says the worm will first connect to port 8080 and might use SSL to request the “/HNAP1/” URL.

“We call this a ‘worm’ at this point, as all it appears to do is spread. This may be a ‘bot’ if there is a functional command and control channel present,” the post reads.

Linksys has said that it is working on a fix for the security vulnerability, and it will be released within a few weeks. 

“Linksys is aware of the malware called The Moon that has affected select older Linksys E-series Routers and select older Wireless-N access points and routers. We will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks,” the company said.

The company gave a step-by-step plan to prevent the malware from infecting one’s network, which can be accessed here.