Security Alert TheMoon Botnet Still Alive and Well After Two Years

frogboy

In memoriam 1961-2018
Thread author
Verified
Top poster
Well-known
Jun 9, 2013
6,731
The botnet of home routers created using a worm known as TheMoon is alive and kicking two years after being discovered, even after some router vendors have shipped firmware patches to protect their devices from getting infected.

TheMoon worm made headlines in early 2014 when Johannes B. Ullrich of the SANS Internet Storm Center discovered it spreading to a large number of Linksys router models.

To its credit, Linksys reacted pretty quickly and issued a firmware update to fix the loopholes exploited in the original infection chain. Unfortunately, patching routers is not a trivial task, and many of those devices have remained vulnerable, even after all these years.

TheMoon targeting ASUS routers
But TheMoon's author didn't stop there, and according to a Fortinet report released today, he improved the worm's targeting by adding support for ASUS routers.

Fortinet researchers say that TheMoon has incorporated the CVE-2014-9583 vulnerability in its source code. This vulnerability allows the worm to send malicious UDP packages to vulnerable ASUS routers, bypass authentication procedures, and execute code on the device, taking it over from its rightful owner.

In subsequent exploitation steps, Fortinet says TheMoon will add new firewall rules to ensure the crook can access the device from his desired location and to block other IoT malware from exploiting the same flaw and hijacking the device from his botnet.

Following the immense success of the DDoS attacks on the KrebsOnSecurity blog, crooks are flocking to the IoT landscape, and routers, next to DVRs and CCTP systems, are their favorite targets.

As such, malware authors are very careful when infecting vulnerable IoT devices to secure them from future exploitation and avoid a game of musical chairs with other botnet herders.

TheMoon also targets D-Link routers
But the bad news doesn't end here. Taking a closer look at these "extra" firewall rules that TheMoon adds to infected devices, security researchers also discovered a rule that when analyzed, they realized is meant to protect D-Link routers from an HNAP SOAPAction-Header Command Execution vulnerability.

Full Article. TheMoon Botnet Still Alive and Well After Two Years
 

rosendalek

Level 3
Aug 16, 2016
126
A solution would be for ISPs to block affected routers from being able to sync and connect to the internet, thereby containing the Bot. The only access the ISP will allow is for the router to update its firmware, once updated the isp will let the router connect
 

Unlocalized

Level 1
Oct 8, 2016
30
A solution would be for ISPs to block affected routers from being able to sync and connect to the internet, thereby containing the Bot. The only access the ISP will allow is for the router to update its firmware, once updated the isp will let the router connect
lol, that's will be fixed in 2 or 3 years x)