The worm sends the HNAP request in order to identify the router's model and firmware version. HNAP - the Home Network Administration Protocol - was developed by Cisco and allows identification, configuration and management of networking devices.
The worm, which has been dubbed TheMoon because it contains the logo of Lunar Industries, a fictitious company from the 2009 movie "The Moon," begins by requesting a /HNAP1/ URL from devices behind the scanned IP addresses.
"We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900." "At this point, we are aware of a worm that is spreading among various models of Linksys routers," said Johannes Ullrich, the chief technology officer at SANS ISC, in a separate blog post. The attacks seems to be the result of a worm - a self-replicating program - that compromises Linksys routers and then uses those routers to scan for other vulnerable devices. On Thursday the ISC researchers reported that they managed to capture the malware responsible for the scanning activity in one of their honeypots - systems intentionally left exposed to be attacked. Researchers from SANS Institute's Internet Storm Center (ISC) issued an alert Wednesday about incidents where Linksys E1000 and E1200 routers had been compromised and were scanning other IP (Internet Protocol) address ranges on ports. A self-replicating program is infecting Linksys routers by exploiting an authentication bypass vulnerability in various models from the vendor's E-Series product line.