Moon Worm - infects Home Routers - redirects advertisement and security access

[Rx_]

Just had this exposed two days ago.
It appears to hit Comcast, Cox and most routers.

If anyone has tips or suggestions, please share.
If it hasn't hit you yet, take precautions.

Hundreds of articles, just to get started:
The Moon Worm - Infects Home Routers - Shows Fake "Adobe Flash Critical Update Required" Message
https://forums.adobe.com/message/6245227#6245227

http://www.bleepingcomputer.com/for...tion-self-replicates-remote-access-redirects/

As it is on the router, it affects all workstations including PC, Mac, Linux...

One tech reported flashing his router's firmware only to have text box appear with "Ha Ha Ha Ha ...."
It appears to really go on the offensive when trying to address it.

PC Virus Check will not help, it is on the router.

 

[Frothingslosh]

That thread talking about Moon Worm is more like a year old, not two days old.

Still good knowledge to have, though.

 

[Rx_]

Your right, a year ago, the charts didn't show it hitting many. The UK was almost untouched. For 2015, the number of new hits are huge.
Here is a 2015 article just about Linksys
http://www.tomsguide.com/us/malware-spreading-worm-linksys,news-18316.html
It isn't clear if "themoon" or the Moon Worm are the same.
Linksys statement that it only affected routers with remote access turned on... I have trouble believing that after reading posts for a couple of hours last night.
This is a 2015 Linksys Knowledge Base
http://kb.linksys.com/Linksys/ukp.a...6_How_to_prevent_getting_The_Moon_malware.xml



Highly Recommend Reading this 2015 article to Prevent Infection -
https://grahamcluley.com/2015/02/ad...ty-exploited-hackers-infect-ie-firefox-users/
They discuss it is too late for thousands of users.


Not to pick on a single router company (linksys), here is a recent article on NetGear. From reading many articles, it appears to be the Linux OS on the routers that was compromised:
http://www.computerworld.com/articl...poses-netgear-wireless-routers-to-attcks.html

I am amazed how well designed it must be. Some of the stories about taking action to fix it are really amazing.
Evidently, it doesn't come right out and hit you in the inter-Face. Little things such as Adobe Flash won't update as it verifies checking the IP switch in the background.

After running several paid virus programs when Windows Updates failed, the latest AVG Internet (paid) profile found 2 Trojans and removed them. After reading about this, I rebooted five times.
The first three times, the problem appeared to have gone away.
Then, the pop-up and switched IP came back with a vengeance.

On one site last month, they suggest having Comcast reboot and reload the firmware on the router. Then immediately change the password. This evidently exploits the Router OS. Then, I am not a big fan of Comcast Service.
My plan is to take the Comcast modem in Friday for an exchange and buy a new router. Mine is over 4 years old. Reading how many hours professionals spend on chasing this makes it look better.
There are details of how it takes the Internet provider IP and switches it.
That is some scary stuff to have to constantly monitor.

 

[Galaxiom]

Your average home router uses OpenSSL which had deep security flaw exploited by the likes of HeartBleed.

Some manufacturers do not even offer firmware updates and those that do are often not installed by the user.

 

[Libre]

Is there a fix? If there is, please save me from reading through some links and just cut to the chase.

 

[Galaxiom]

Is there a fix?

Update your router firmware

 

[Libre]

Thanks Galaxion.
Went to the Linksys website and after clicking around finally clicked on chat with a support rep. After much answering questions about serial numbers and FCC ID and whatnot, the result was:
Daphne L. J: I am sorry to inform you that, due to the GPL (General Purpose License) rules that govern the use of its firmware, we are no longer able to provide its firmware for download. And please also be informed that your device is already out of warranty.

and then an offer to sell me a new one.
I said since I'm having no current problems no thanks.
So anyway - I'll wait for the worm with BAITED breath (pun definitely intended).

 

[Rx_]

My reading of many sites confirms that. The firmware really can't be upgraded.
My unit is 4+ years old. Went to http://www.dslreports.com/forums/all to read about the latest routers. Some of these people are very technical and specialist.
Settled on a nice fairly recent $250 USD one.
It supports USB 3 plus has quad powerful antennas. Something I needed anyway.
Will install it tonight and then have Comcast reset the modem.

 

[Rx_]

Installed the new LinkSys WRT 1900AC last night.
The re-direct problems are gone.
A few years made a big difference. This next generation router is very fast and responsive. I have different 4 TB NAS Seagate drives with TCP/IP cables in the router and an older 2TB drive with usb. The new router has USB 3 so that was a huge upgrade.

The old router hardly covered my house with wireless. The routers / drives are in a full-sized fireproof secured closet in my garage. The fireproofing includes metal covered foiled fire-proof insulation. So, the signal was dampened. I couldn't get a signal to my portable or smart phone on the back porch. This new router has 4 high-powered antennas. Now, my smart phone gets a "very strong" signal on the back porch and OOKLA speed test show 20 down / 7.5 up on the smart phone.
So maybe the WORM was the IT God's way of telling me it was time for an upgrade.
Maybe my imagination, but the increased wireless radiation seemed to warm the home from the cold winter. (a little humor).

This weekend, I plan to finally learn how to stream my local media to my smart TV.
The 70" 240hz 3D TV didn't stream too well with the old router so I gave up.

Guess the old routers on the shelf are like the old eggs in the fridge. Safer if updated once in a while.

Just glad to discover it was a worm. I was really close to re-installing Windows 7. That would not have made a difference.