Self-Replicating Malware Hits Linksys Routers

Today, researchers at the Sans Institute told Ars Technica they have uncovered a new type of malware hiding in the bowels of common Linksys home and small business routers, and warned that the threat had the potential to do serious damage if allowed to continue its rapid proliferation.

Johannes Ullrich was the first to come across the wireless worm, claiming he and his firm were able to detect its scent on around one thousand E1000, E1200, and E2400 routers. They were quick to note however that this figure is only what they could find using their internal tests, not a true representation of the number of devices that might be infected worldwide.

What makes this program especially devious is after it’s located a healthy router, it then scans the immediate networks and internet at large for any other wireless hubs that fit the profile and automatically spreads to their firmware, only to repeat the process all over again.

This means it doesn’t need to communicate with command and control servers in order to spread, and is able to self-perpetuate without the input of a C&C server or the owner who initially launched the attack.

“We do not know for sure if there is a command and control channel yet. But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie “The Moon” which we used as a name for the worm.”

Luckily, all it takes to reverse the process is a simple reboot of the router, and you don’t even need to flash new firmware to get it working normally again. Out of all the viruses and bandwidth baddies we’ve come across, apparently this new variant is one of the easiest to snuff out.

Ullrich believes this may be due to the fact that unlike other more malicious spyware infections, this botnet is far more concerned with the ability to replicate above all else. It’s not trying to monitor traffic, create backdoors, or create illicit data streams; simply set up shop, and start searching for another link in the chain.

Last March the hacking group Anonymous set up a mesh net comprised of more than 420,000 network devices, just to “show they could”. That time the perpetrators were essentially looking for the fun and knowledge of the experience, but whether this new exploit is being distributed in the same vein of jest as that experiment last year, it’s still too early to tell.

In case you find a lot of unrecognized traffic coming off port 80 or 8080 on your Linksys router, just reboot the whole thing from the back and you should be well on your way to a healthy and happy home network in minutes.