Security researcher Johannes B. Ullrich from the SANS Technology Institute has warned about a self-replicating malware which is exploiting authentication bypass and code-execution vulnerabilities in the Linksys wireless routers.
The Malware named as THE MOON, scans for other vulnerable devices to spread from router to router and Johannes confirmed that the malicious worm has already infected around 1,000 Linksys E1000, E1200, and E2400 routers.
In order to hack the Router, malware remotely calls the Home Network Administration Protocol (HNAP), allows identification, configuration and management of networking devices.
The Malware first request the model and firmware version of the router using HNAP and if the device founds vulnerable, it sends a CGI script exploit to get the local command execution access to the device.
Linksys's parent company has confirmed that HNAP1 implementation has a security flaw whose exploit code is publicly available on the Internet.
To what extent this worm can be dangerous is yet a question.
To verify that your device is vulnerable or not, use following command (depending on your OS):
If you receive an XML HNAP reply, you are likely to be victimized for the worm affecting Linksys devices and some preventive measures are to be taken. Also keep an eye on the logs of port 80 and 8080.
Users are recommended to Disable Remote Administration of their device or limits the administration right to a limited number of trusted IP addresses.
