Bizarre attack infects Linksys routers with self-replicating malware

Discussion in 'malware problems & news' started by ronjor, Feb 13, 2014.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,778
    Location:
    Texas
  2. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
  3. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    701
    Location:
    North of the 38th parallel.
    It seems to be implied that disabling Local/Remote Management Access is an acceptable work-around.

    This may only be conditionally true as my Linksys E-series router tests vulnerable and I do have both Local Management Access and Remote Management Access, Disabled.

    By simply using wireless access, my laptop's Firefox browser testing for vulnerability on my router with "https://routeraddress/HNAP1" will receive the XML output without the router's Username/Password being solicited.

    My previous gullibility let the router installation setup, set the <DeviceName> to "Cisco#####" which at the time wasn't alarming, but which now signals to those within reach of my Wi-Fi signal that I'm a possible candidate for the "TheMoon" worm. Pity. :(

    Edit: I thought this situation would have garnered a CVE-2014-NNNN number by now. Maybe it takes much longer to get through the authoring/validation/publishing process.
     
    Last edited: Feb 15, 2014
  4. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    I must be missing something here. I can see disabling remote access, but if you disable local access aren't you locking yourself out of the router? Or do you just do a hard reset to defaults if you need to update firmware or change any settings?
     
  5. Austerity

    Austerity Registered Member

    Joined:
    Jun 21, 2013
    Posts:
    367
    Location:
    Georgia / USA
    Luckily I have an E3000 w/custom firmware. :doubt:
     
  6. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,702
    Location:
    Texas
    Hi Guys,
    E3000 owner here: Is this the setting talked about (see pic)?

    Austerity - I don't find your post helpful, more like bragging!

    Take Care
    Rico
     

    Attached Files:

  7. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Yes, and I don't believe I've seen "can be duplicated via the LAN side" firmly ruled out. Note, however, that this:

    is just retrieving GetDeviceSettings info. Arguably, that shouldn't be possible without entering credentials, but I think the more important question is whether other SOAP actions can be performed to retrieve (or change) more sensitive info. I had one of the affected routers in my old parts box. Just for fun I tried throwing some other SOAP actions at it, and in different ways. For every attempt I made the router demanded correct credentials. I also noticed https://isc.sans.edu/forums/diary/More on HNAP - What is it How to Use it How to Find it/17648...

    So apparently the "CGI vulnerability" is the real problem, and the question would be whether it can be exploited from both WAN and LAN sides. I just found this from a Linksys forum administrator... http://community.linksys.com/t5/Wireless-Routers/Malware-Attack-on-Linksys-Routers/td-p/771187...

    I hesitate to believe that because I'm inclined to assume that most of the same code would be involved regardless of side. However, perhaps it is true. Ultimately, the only way to be absolutely sure is to find exploit code and run it against your router.

    Edit: Oh, btw, in addition to default SSID your AP's MAC Address would also provide manufacturer info. Unless there is some way to change it when using stock firmware (don't recall hearing of a way for interfaces other than WAN). Safest would seem to be NOT running an open AP, including the ISP provided wireless routers that have one built in (Comcast and whoever else is doing that). One could also disable administrative access for wireless devices. I hope firmware updates provide a means of credentialing or disabling HNAP completely.
     
    Last edited: Feb 17, 2014
  8. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    So wired routers are not affected?
     
  9. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  10. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,702
    Location:
    Texas
    From Linksys:
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.