Thursday, February 13, 2014

Worm attacks Linksys routers with self-replicating malware

An attack that infects home and small-office wireless routers from Linksys with self-replicating malware, has been uncovered. Once a device is compromised, it scans the Internet for other vulnerable devices to infect.

The worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card.

The exploit may also change some routers' domain name system server to or, which are IP addresses used by Google's DNS service. Compromised routers remain infected until they are rebooted. Once the devices are restarted, they appear to return to their normal state. People who are wondering if their device is infected should check for heavy outbound scanning on port 80 and 8080, and inbound connection attempts to miscellaneous ports below 1024.

Linksys routers. As the routers scanned IP ports 80 and 8080 as fast as they could, they consumed the bandwidth of the unidentified ISP's customers, slowed down their legitimate activity, and interrupted streams and VPN connections.

The objective behind this ongoing attack remains unclear. Given that the only observable behavior is to temporarily infect a highly select range of devices, one possible motivation is to test how viable a self-replicating worm can be in targeting routers.

More details can be found here and here.