An attack that infects home and small-office wireless routers from Linksys with self-replicating malware, has been uncovered. Once a device is compromised, it scans the Internet for other vulnerable devices to infect.
The worm appears to include
strings that point to a command and control channel. The worm also
includes basic HTML pages with images that look benign and more like a
exploit may also change some routers' domain name system server to
220.127.116.11 or 18.104.22.168, which are IP addresses used by Google's DNS service.
Compromised routers remain infected until they are rebooted. Once the
devices are restarted, they appear to return to their normal state.
People who are wondering if their device is infected should check for
heavy outbound scanning on port 80 and 8080, and inbound connection
attempts to miscellaneous ports below 1024.
Linksys routers. As the routers scanned IP ports 80 and
8080 as fast as they could, they consumed the bandwidth of the
unidentified ISP's customers, slowed down their legitimate activity, and
interrupted streams and VPN connections.
The objective behind this ongoing attack remains unclear. Given that
the only observable behavior is to temporarily infect a highly select
range of devices, one possible motivation is to test how viable a
self-replicating worm can be in targeting routers.
More details can be found here and here.