The Moon Worm - Infects Home Routers - Shows Fake "Adobe Flash Critical Update Required" Message

Report · Mar 24, 2014

Greetings,

This morning we had numerous workstations pop up with an Adobe Flash error. The browser will be taken over by an Adobe Flash Critical Update Required page and won't let the browser go to any other internet site. Within the page, a box will pop up that says: "Attention! your current version of Adobe Flash Player is outdated! Your computer is vulnerable to malware now. Update your Adobe Flash player now."

This message pops up on IE Explorer version 9-11, Google Chrome and Firefox and the operating systems are Windows XP Pro and Windows 7 pro. It has all the behavior of a virus or malware so I don't want to run it's download file which is named install_flashplayer_12_x32_64_msaa_aax_latest.exe.

I've been able to download both flash player installs from the Adobe.com site for both IE and Other Browsers. Sometimes I've been able to run the installs and it shows that the download and install ran okay with Adobe Flash Player 12 ActiveX showing up in the installed programs list. Other times, the install won't run and the install file mysteriously gets deleted. Even after the successful download and install, the browser works briefly okay and then gets seized by the "Critical Update Required" page again.

We're running AVG Anti-Virus Business Edition which is kept updated. A scan with this program and an updated version of Malwarebytes isn't showing any viruses or malware that could cause this problem.

What can I do to get rid of this "Critical Update Required" problem and get our browsers working again?

Thanks.

Bill J., Lexington, KY

Report · Mar 26, 2014

Bill, one of my employee's downloaded this malware and we have a network, but only this one computer is affected. The computer's OS is Windows 7 w/IE 11 and the network is using Linksys E4200 router for intenet access. I have noticed that only .com's seem to be affected from the computers browser and that I can acess the internet through another programs or bring up a website with .net only once. None of our scans(4) picked it up either and we reran them through safe mode with no success. We even tried a web base scan with no luck picking it up. I did find something odd when I was able to acess a .net company in IE and tried to go another wesite the Adobe Flash Player malware reappeard and again asked to be downloaded. When I cancel that proces and went to the tools icon and went to security and Delete Browsing History and checked all boxes and ran it. Out of the 4 progams we've run Microsoft Security Essentials was the only program to picked up the malware and showed it as BackDoor:Win32\Simda.AT and when MSE removed it. We rebooted but it's still there. once its downloaded now the job of refinding and removing it, so if you or anyone else has something to remove it completly please let me know.

Report · Mar 26, 2014

19.trollwv, the only way I could get rid of it was to go into the browser settings and do a complete reset on the browser. Remember, your Linksys router could have had malicious code installed in it that will just keep reloading it into your browser. I don't think that Linksys has a firmware update to fix this problem yet. I pulled our Linksys out of service and used a Cradlepoint router that we already had on hand for temporary internet access until our Cisco router arrives.

Another thing, if you have remote management turned on in your Linksys router, turn it off as port 8080 seems to be one of the ways that they're placing the malicious code in the router.

Report · Mar 27, 2014

20.whjco, Thanks for the update. I don't have the remote management enabled on my router, and I tried the complete reset with the browser with no success. I will give the replacement router a try next and will give it a go once more.

Report · Mar 27, 2014

I have been having this same issue. It started a few days ago. I normally use a windows machine but have been using a mac (osx 10.9) for development lately. The mac is now having this issue. The PC is fine. The PC is on a hardwired network (not using a linksys) but the mac is on a wireless network that uses a linksys e3000. At first I thought it was a chrome only issue and resetting the browser cookies/settings would fix the issue. Today I went to load up a site in safari and it did the same redirect. I am stumped. I don't have admin rights so I cant check the router myself. Is there any way to test to see if the router is infected? Something I can take to our IT guy?

PS another guy in the office had the same issue and he was running fedora Linux. He got frustrated and switched to another machine (desktop) that is hardwired.

Thanks

-J

Report · Mar 27, 2014

You may want to contact support for the manufacturer of your router to see if there's any way to check for malicious code or the procedure to wipe and reload the router. In our infected Linksys E2500 router we had already installed the latest firmware version. I downloaded and reinstalled the latest firmware but it didn't seem to help.

Report · Mar 27, 2014

Thanks for the reply. Just another note to further describe the problem. It seems to happen randomly once the browser info is cleared. It does not happen on the same website every time. The first time I noticed the issue was with bestbuy.com. After that it was google.com. Today its happening with reddit.com but not bestbuy/google. I have not been able to replicate it on a windows 8.1 surface tablet on chrome. If i clear the browser info the problem goes away again for a bit.

Thanks

-J

Message was edited by: Jerrion *spelling

Report · Mar 27, 2014

Resetting the E2500 to factory defaults corrected the problem, at least temporarily. Time will tell if the reset is a permanent fix.

I agree with the others who have posted on this thread. No malware of any kind is found on the machines that redirect to the SCAM Adobe flash error message screens. I have contacted CISCO and have filed a report on our finding through today and have asked they get involved to find the cause, source and cure for this issue. I would expect a new firmware release will be announced soon for the E2500 and any other CISCO router products that have been compromised. I would encourage all install the firmware when it becomes available.

Report · Mar 27, 2014

whjco, Yes, its as you said. My Linksys/Cisco E4200 router was the problem. I didn't replace it, just Disabled the Remote Management Access & save and then under Security turned on Filter Anonymous Internet Requests and save. Then rebooted the router the issue stoped. Linksys called this The Moon malware it apparently bypasses authentication on the router by logging in without actually knowing the admin credentials. Once infected the router starts flooding the network with ports 80 and 8080 outbound traffic. A firmware update is said to becoming out soon. Thanks again for the insight.

Report · Mar 28, 2014

I did the same as trollwv yesterday for my E4200, and so far no re-appearance ... this might also explain my significant increase in bandwidth usage for the past several months; I thought it was just Netflix.

Report · Mar 28, 2014

Current research suggests Linksys (Cisco) became aware of this threat a little over a year ago. Most people trying to discover the cause and cure would be searching for Adobe Flash issues, not searching for the "moon". We are currently exploring a secondary issue with the malware. We have 4 of the E2500 on the bench that were compromised, and none of them will take a firmware update. Failures consistantly occur at 18%. No comments back yet from Cisco.

Report · Apr 18, 2014

I have a Cisco E3000 Wireless N Router. I was having the issue accross OSX and Windows. This thread was a big help, but when I tried to get the latest firmware from Cisco I found the download link was no lnger present. I chatted with their support and obtained the following info if it helps anyone:

"Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default."

" If you have not enabled the Remote Management Access feature of the router, you are not susceptible to this specific malware. If you have enabled the Remote Management Access feature, we can prevent further vulnerability to your network by disabling the Remote Management Access feature and rebooting your router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks."

"What we can do to fix this issue is to make sure that the router's security settings is enabled and the remote management is disabled."

"Ensure that the Filter Anonymous Internet Requests on the Security Page is enabled."

"The next step would disconnect us from the session. We need to reboot the router to clear the cache."

"According to the system, your product is already outside the complimentary assisted support period. I’d just like to inform you that we normally charge a fee for supporting this type of issue,

but since we’re seeing a potential hardware problem with the product, we’ll be extending complimentary support just this one time."

"We also need to upgrade the Firmware. However, the Firmware for this router is no longer available for download. Disabling the remote management on your router and securing it would help fix the issue."

I did find the latest firmware for the E3000 here: http://www.userdrivers.com/LAN-Network-Adapter/Linksys-E3000-Wireless-N-Router-Firmware-Update-1-0-0...

Report · Apr 18, 2014

Kevin,

Although Cisco will not admit it, there is an issue with this a two other of their devices. Thier blog that they sent you is a work around. If you need remote access, I would suggest acquiring another router. The Netgear N750 would be my suggestion. Solid engineering and support and under $100 if you shop around.

John

Report · May 03, 2014

Hey i am currently experiencing this problem at work. we have a Cisco router there.I made the mistake of getting my laptop (WIN 8.1) plugged into this network and then my laptop was experiencing the same thing. My questions are 1. is this transferable i.e. if i take my laptop home to a Netgear router will this infect my home network. 2. has there been a firmware update for this. 3. any more news on this?

Report · May 04, 2014

tankr32 wrote:

1. is this transferable i.e. if i take my laptop home to a Netgear router will this infect my home network.

Being as it's a router hack, it isn't even transferable TO the laptop. It's like a detour on a street. As long as you're on THAT street, it doesn't matter what car you drive, you'll still have to take that detour. but if you take a different street, you don't. It isn't in the car.

2. has there been a firmware update for this.

Not from Adobe, because Adobe doesn't make routers or firmware. Some routers (varies by make and model) can be "flashed" and reloaded like a cell phone.

3. any more news on this?

The link I posted is the latest I've read on it.

Report · May 06, 2014

I figured out the problem. The router hack simply changes the DNS server to a DNS hosting service (severel.com). In my case a password hack could get downloaded. The malicious DNS server numbers in question for my issue were; 199.182.166.168 and 199.182.166.169 After you reset or flash your router firmware, make sure and install the correct DNS servers for your ISP.. Also make sure you disable "remote management". My router is a linksys E3000. Linksys has never updated the bios for this router.

A second option is to simply install the correct DNS server addresses for your ISP in the routers setup page.

Report · Oct 08, 2014

upgrading router worked here, thanks for the help.

Report · Oct 08, 2014

I updated the title to make it more useful.

Report · Jun 11, 2014

YOU MUST RESET ROUTER TO FACTORY DEFAULT BECAUSE A MALWARE IS ON IT AND HAS CHANGED

ALL DNS ADDRESS TO DEVIATE TO ADOBE FAKE SITE.

YOU MUST REMEMBER TO SCAN PC WITH MALWAREBYTES TO BE SURE IT DON'T COME BACK.

BYE

FABIO

Report · Sep 22, 2014

I got it fixed.

It's called the Moon virus or worm. It does not reside in your pc. It is malicious code that is embedded into your wireless router primarily Linksys but D-Link and Motorola have also been affected. Simple fix is to reinstall your firmware and simultaneously delete all web browsing and cache from the browser than even resetting your browser to factory default and YOUR PROBLEM IS FIXED.

dOUG

Report · Nov 02, 2014

I generally feel that I have a decent understanding when it comes to computers, however you have me stumped on the "reinstall your firmware". I thought I knew what you meant but apparently I didn't because I CAN NOT get rid of this stupid worm!!! I'm about to lose my mind! I downloaded Malwarebytes and AdwCleaner then deleted my history, cookies, cache and EVERYTHING I was able to in both IE and Chrome then closed them out. Then unplugged my Arris wireless router (so that it would reset) uninstalled it from my computer then ran my AVG, the Malwarebytes and AdwCleaner. After they were all done (and they only picked up a couple things surprisingly) I restarted my computer. Once it came back up I then completely just shut it down and went to bed. Got up this morning and plugged in my router, turned on the computer and got everything set back up and going and within 5 minutes the pop ups started covering my page and sending me off to other pages and locking up Chrome!!

I am about to throw my computer across the room! All this because it said Adobe needed to update. I am very careful and am not one to just dl ANYTHING! My stupidity was seeing and trusting the Adobe emblem PLEASE HELP!!!

https://www.facebook.com/groups/HollysSongofHope/

Report · Oct 23, 2014

Well it seems this isn't just linked to Linksys and DLink. I'm running a Technicolor router provided by Plusnet (UK). I've started to see this message coming up on my machine while running chrome. It tried to get me to download a program called "setup" from flash.zuqiuing.com - obviously fake, though the page looks like the original. As it's stupid-o'clock here, I'll deal with the router et al tomorrow and hope it'll resolve the problem.

One thing I've noticed, that might be related, is that as I load any page, I'm getting what looks like loads of meta-data, and on top of that Chrome keeps crashing. I am able to browse most of the time successfully, just every now and then get this issue. I've no other computer to try on this, however I do have android devices which don't use flash, but they've seemed slower on download of late. BitDefender hasn't reported any problems, though I did have to re-install recently.

I'm running Win7 Ultimate 64 bit. I also have a buffalo airstation running as a wired access point.

Report · Nov 02, 2014

I generally feel that I have a decent understanding when it comes to computers, however you have me stumped on the "reinstall your firmware". I thought I knew what you meant but apparently I didn't because I CAN NOT get rid of this stupid worm!!! I'm about to lose my mind! I downloaded Malwarebytes and AdwCleaner then deleted my history, cookies, cache and EVERYTHING I was able to in both IE and Chrome then closed them out. Then unplugged my Arris wireless router (so that it would reset) uninstalled it from my computer then ran my AVG, the Malwarebytes and AdwCleaner. After they were all done (and they only picked up a couple things surprisingly) I restarted my computer. Once it came back up I then completely just shut it down and went to bed. Got up this morning and plugged in my router, turned on the computer and got everything set back up and going and within 5 minutes the pop ups started covering my page and sending me off to other pages and locking up Chrome!!

I am about to throw my computer across the room! All this because it said Adobe needed to update. I am very careful and am not one to just dl ANYTHING! My stupidity was seeing and trusting the Adobe emblem PLEASE HELP!!!

https://www.facebook.com/groups/HollysSongofHope/

Report · Nov 21, 2014

This worm will just not go away! The title banner is: "Please Install Flash Player Pro to Continue". It occurs randomly. Sometimes daily. The executable file name always changes. Norton detects it after the ad appears, says it is "not safe", and offers to uninstall it. Once Norton does its thing, the computer operates normally until the next occurrence. I run Windows 7 Pro with Chrome. Here's what I have done to try and get rid of it!

1. Trashed my old LinkSys router and bought a TP-Link TL-WR841N router. I immediately flashed the firmware to the latest version.

2. Reset Chrome and MS Explorer to default.

3. Ran CCleaner, AdwCleaner, and Malwarebytes

I'm out of ideas. I was thinking of upgrading my motherboard and CPU anyway and using a late 2013 disk image, but I hate to go all through that and not know it will get rid of this problem.

The Moon Worm - Infects Home Routers - Shows Fake "Adobe Flash Critical Update Required" Message

1 Correct answer