• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 

Europol dismantles €460M crypto scam targeting 5,000 victims worldwide

 | 

CISA and U.S. Agencies warn of ongoing Iranian cyber threats to critical infrastructure

 | 

U.S. CISA adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog

 | 

Canada bans Hikvision over national security concerns

 | 

Denmark moves to protect personal identity from deepfakes with new copyright law

 | 

Ahold Delhaize data breach affected over 2.2 Million individuals

 | 

Facebook wants access to your camera roll for AI photo edits

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51

 | 

Security Affairs newsletter Round 530 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Malware
  • Reports
  • Security
  • Linux-based Moose worm turns routers into social network bots

Linux-based Moose worm turns routers into social network bots

Pierluigi Paganini May 27, 2015

Linux/Moose is a malware family that targets Linux-based consumer routers turning them into social network bots to use for illegal activities.

ESET released a study about a new malware known as Moose worm that is compromising devices that have a weak or default credentials. The principal target of the Moose worm are the linux-based routers, in particular, the SOHO devices, including home routers, running on MIPS and ARM architectures.

Experts at ESET reported that Moose can perform eavesdrop, which means, it can spy communications from devices connected to the infected router, running “comprehensive proxy service (SOCKS and HTTP) that can be accessed only by a specific list of IP addresses”, and one of the fisrt things that Moose does is “start listening on TCP port 10073 for incoming connections. “This server is used by the bot to assess whether a system is infected.”, “When some Linux/Moose scanner thread reaches an opened 10073 port, it will result in a TCP handshake without a data payload.”

[Moose worm use the compromised devices to] “steal unencrypted network traffic and offer proxying services to the botnet operator,” “In practice, these capabilities are used to steal HTTP Cookies on popular social network sites and perform fraudulent actions such as non-legitimate “follows”, “views” and “likes” on such sites.” added ESET.

This particular worm, focus a lot of attention to social media websites, such YouTube, Facebook, Instagram and Twitter

Moose worm schema

Why the Social networks?

If you are a daily user of these social networking websites, you know that the more followers/friends you have, the more followers you can gain, since much more people will be seeing and sharing your posts/comments/videos.

This consideration is the pillar of a business model, where you can buy followers to get more attention and to make your product to reach a wide audience.

Be aware, paying this type of service means doing illegal activities, and its much likely that these people are making use of Moose-compromised routers to access their botnet to conduct social media fraud.

“If someone tries to register 2000 twitter accounts from his own IP address this will likely draw attention,” “To a social network site operator, there is probably nothing more reputable than an IP address behind a well-known ISP. Just the type of network where you can expect to find badly configured consumer routers.” states report.

The report says that Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, and Zhone can be exploited by the Moose worm, but until now there is no certainty if all of them are being targeted or not.

Infected devices search for other routers with an exposed Telnet management interface by randomly scan systems whose IP addresses are related to the ones of the infected device.

 “Combining these two techniques maximizes the chances of the router of finding new potential victims,””Once a device with a responding Telnet service is found, the malware attempts to bruteforce the username and password using a list of well-known default credentials that it received as part of its configuration. Once it [finds] a good username and password combination, the malware will fetch commands from a command and control server that will complete the infection by downloading an executable tailored to the infected platform and executing it.”

How to prevent your router from getting infected by Moose worm?

  • Disable Telnet
  • Use SSH
  • Insure that device is not accessible from in internet on ports 22,23,80,443
  • Update your router to the latest firmware
  • If infected install the latest firmware

I think that malware like the Moose worm can become a serious threat for IoT devices, since all smart objects are always online and connected to peers.

It’s also important that router/device vendors give more importance to the security of their equipment ( as I said and other articles).

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs –  Moose worm, SOHO devices)


facebook linkedin twitter

botnet Cybercrime Eset IoT Moose worm routers social media Social Network SOHO devices

you might also like

Pierluigi Paganini July 03, 2025
China-linked group Houken hit French organizations using zero-days
Read more
Pierluigi Paganini July 03, 2025
Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    China-linked group Houken hit French organizations using zero-days

    APT / July 03, 2025

    Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

    Data Breach / July 03, 2025

    Europol shuts down Archetyp Market, longest-running dark web drug marketplace

    Cyber Crime / July 03, 2025

    Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

    Uncategorized / July 03, 2025

    Cisco removed the backdoor account from its Unified Communications Manager

    Security / July 02, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT