New malware targets Linksys routers

Several Linksys routers are victims of a worm. The worm probably spreads through a hole in the router software. It is still unclear exactly what purpose the malware has in mind.

Researcher Johannes Ullrich of the Internet Storm Center investigated the worm, the existence of which came to light on Wednesday when a US Internet provider noticed that customer routers had been hacked. The malicious software targets the E2500, E1000 and the E1200, among others.

The E1200 should no longer be vulnerable with the latest firmware, but the E1000 is. It is unclear whether the E2500 with the latest firmware is susceptible. A Polish security researcher writes on his site that other models, including the E1500 and the E4200, can be infected by the worm.

What exactly the malware does is unclear, except that it automatically spreads to other Linksys routers. Ullrich discovered this when he installed a honeypot: a device with vulnerable software intended to attract attackers. Ullrich’s honeypot was actually infected, after which he was able to intercept and parse the malware.

Once installed, the worm searches for vulnerable routers within certain netblocks, Ullrich discovered. The scans focus on ports 80 and 8080, after which a post-request is sent to vulnerable routers that allows the attacker to execute his own code. It is unclear how that works; according to the American provider that discovered the worm, this is not due to the use of weak passwords.

After infection, a second file is downloaded, which probably contains additional code. In addition, the worm seems to connect to a command-and-control server: the second binary contains a number of hostnames.