Sounds like: https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633
g On Sat, 12 Apr 2014 00:32:55 -0400 Joly MacFie <j...@punkcast.com> wrote: > Any comments? > > ---------- Forwarded message ---------- > From: Dave Farber <d...@farber.net> > Date: Fri, Apr 11, 2014 at 8:13 PM > Subject: [IP] Summary of what I know so far about the Linksys botnet > and/or worm > To: ip <i...@listbox.com> > > > > > ---------- Forwarded message ---------- > From: *Brett Glass* <br...@lariat.net> > Date: Wednesday, February 12, 2014 > Subject: Summary of what I know so far about the Linksys botnet > and/or worm To: "Eugene H. Spafford" <s...@acm.org>, > "d...@farber.net" <d...@farber.net> Cc: secur...@linksys.com > > > Gene, Dave: > > Here is what I know so far about the Linksys router exploit that I've > been observing in the wild today. > > * The exploit has affected Linksys E1000 and E1200 routers that have > public IP addresses on our network. Those which we've shielded behind > carrier-grade NAT (the majority) have not been compromised. > > * The routers are rapidly scanning blocks of IP addresses for Web > servers on ports 80 and 8080. This choice of ports seems to indicate > that they are looking for other routers of their ilk to infect. It's > unclear whether, once they find a vulnerable router, they infect it > themselves or report its IP address back to a botmaster for later > infection. I suspect the latter, though, because infection would > require flashing the router with a modified firmware image that would > be model-specific and there is not room in a router for multiple > images. It's also likely that a central server is coordinating the > scans. > > * All of the E1000s that have been affected have the last version of > firmware that was made for this now-discontinued model. The affected > E1200s have firmware version 1.0.03 (the last one published for > hardware version 1) or 2.0.04 (not the latest for hardware version 2, > but close; there's now a 2.0.06. I do not know if 2.0.06 stops the > exploit because we have no E1200s running it with public IPs). We > have not seen any E900s infected, even though the E900 and the E1200 > use the same hardware. > > * None of the infected routers had default or easily guessable > passwords, suggesting that the backdoor or security hole through > which the exploit was performed did not require guessing a password. > > * Re-flashing routers and resetting them to factory defaults SEEMS to > clear the malware, but of course one cannot be 100% sure that it does > not protect itself from re-flashing. > > * These routers use Broadcom chipsets and Wind River's RTOS operating > system, and it wasn't swapped for a Linux-based one, so the creators > of the malware must be skilled in development for this OS -- or at > least sufficiently skilled to modify the firmware. > > At this point, it appears that those who implemented this exploit is > still building an "army" and has not used it for anything yet. > However, there are so many millions of these routers in the field, > with so many private networks behind them, that there's no telling > just how much havoc they could wreak if they were set to invasion of > privacy, DoS attacks, etc. > > I haven't been able to get in touch with anyone at Linksys to talk > about this. Their support techs are all in remote call centers in > far-flung corners of the world, and I have not been able to get them > to escalate. > > --Brett Glass > > > > > Archives <https://www.listbox.com/member/archive/247/=now> > <https://www.listbox.com/member/archive/rss/247/125534-14f1b966> | > Modify<https://www.listbox.com/member/?member_id=125534&id_secret=125534-f26397ec>Your > Subscription | Unsubscribe > Now<https://www.listbox.com/unsubscribe/?member_id=125534&id_secret=125534-8937d9ee&post_id=20140411201339:49F005E2-C1D7-11E3-AB53-859A868D5D56> > <http://www.listbox.com> > > > --