Sunday, March 22, 2015

What's in the honeypot? "The Moon" malware is self-replicating and impacts Linksys E Routers - CVE-2013-5122

As I was looking through the logs of the honeypot I found the following occurring:



Well if you google "/tmUnblock.cgi" you find that this scan is related to "The Moon" malware.  This malware impacts Linksys E series routes that are used by multiple home users.  After a Linksys E series router is infected it will then scan and try and find other routers that are vulnerable and infect them.
Since this malware came out Linksys has since patched the vulnerability but to implement it a firmware update has to be done on the router.  Well, maybe the IP addresses that are scanning my honeypot are infected Linksys routers.

Well without actually scanning them I will not know if they are vulnerable, but I thought I would look up using arin.net or other registrars to see if the network the IP is on indicates it possibly could be based on being a residential ISP or a small business.

103.30.91.46 - PT Metroptix Lintas Nusa - Indonesia
173.89.8.170 - RRMA Time Warner Cable - US
74.143.224.154 - Insight Communications Corp - US
174.45.250.19 - Net-Core-BB-3 - Charter Communications - US
50.20.209.110 - CBeyond Communications LLC - US
173.18.39.9 - MediaCom Communications Corp - US
 
Again I am not sure but looking at the subnet ranges it appears that all but one is possibly a residential ISP or a small business.

Well if the router is infected with this malware, this is an indicator that the router can be used to cause a DDoS attack or be in a mesh of other devices to cover the tracks of miscreants causing trouble.  

Here is the link to the vulnerability as described by Cisco who owns Linksys:  http://tools.cisco.com/security/center/viewAlert.x?alertId=32899

The link to the CVE that describes the vulnerability is located here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5122

No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...