TheMoon Botnet

Discovered as a worm in 2014, TheMoon was observed by a researcher at the SANS Internet Storm Center spreading itself to a large number of Linksys router models. Delivered in the form of a 2 MB ELF MIPS binary, it connects to port 8080 and then, after determining the versions of hardware and firmware, it sends an exploit to a vulnerable CGI script running on the targeted router. Although TheMoon sends random administrator credentials, they are not acknowledged by the script and, therefore, no authentication is necessary. Linksys routers running stock firmware with remote administration turned on are vulnerable. Suggested mitigation strategies include changing the port number for the routers to something other than 80 and 8080 and only allowing specific IP addresses access to the administrator panel, or disabling remote management access altogether. Linksys also provides step-by-step instructions on how to protect routers from TheMoon here.

TheMoon also began exploiting a publicly disclosed vulnerability (CVE-2014-9583) in ASUS routers that have remote web access enabled through AiCloud. This vulnerability allows attackers to gain direct access to any storage devices that are connected to the router via USB. Suggested mitigation strategies for this exploitation include disabling all UPnP services, disabling the vulnerable AiCloud items, disabling remote access to the router, changing the default login credentials, and changing login credentials for any AiCloud services used.

The size of TheMoon Botnet is currently unknown but researchers believe that it is a large and growing botnet.

Linksys Routers Affected:

E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300,
WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N, WRT150N

ASUS Routers Affected:

  • RT-AC66R Dual-Band Wireless-AC1750 Gigabit Router
  • RT-AC66U Dual-Band Wireless-AC1750 Gigabit Router
  • RT-N66R Dual-Band Wireless-N900 Gigabit Router with 4-Port Ethernet Switch
  • RT-N66U Dual-Band Wireless-N900 Gigabit Router
  • RT-AC56U Dual-Band Wireless-AC1200 Gigabit Router
  • RT-N56R Dual-Band Wireless-AC1200 Gigabit Router
  • RT-N56U Dual-Band Wireless-AC1200 Gigabit Router
  • RT-N14U Wireless-N300 Cloud Router
  • RT-N16 Wireless-N300 Gigabit Router
  • RT-N16R Wireless-N300 Gigabit Router

ASUS Firmware Affected:

WRT firmware 3.0.0.4.376_1071
WRT firmware 3.0.0.376.2524-g0013f52

Reporting

  • February 2014: TheMoon Botnet discovered by SANS Technology Institute researcher, Johannes B. Ullrich, Ph.D. (SANS ISC InfoSec Forums)
  • February 2014: Linksys Is Preparing Firmware Fix to Protect Users Against “TheMoon” Worm (Softpedia)
  • October 2016: TheMoon Botnet Still Alive and Well After Two Years (Softpedia)

Technical Details

  • September 2016: Analysis of Linux.Themoon.2 (Dr. Web)
  • October 2016: TheMoon – A P2P Botnet Targeting Home Routers (Fortinet)