Linux-based Moose worm turns routers into social network bots

Linux/Moose is a malware family that targets Linux-based consumer routers turning them into social network bots to use for illegal activities.

ESET released a study about a new malware known as Moose worm that is compromising devices that have a weak or default credentials. The principal target of the Moose worm are the linux-based routers, in particular, the SOHO devices, including home routers, running on MIPS and ARM architectures.

Experts at ESET reported that Moose can perform eavesdrop, which means, it can spy communications from devices connected to the infected router, running “comprehensive proxy service (SOCKS and HTTP) that can be accessed only by a specific list of IP addresses”, and one of the fisrt things that Moose does is “start listening on TCP port 10073 for incoming connections. “This server is used by the bot to assess whether a system is infected.”, “When some Linux/Moose scanner thread reaches an opened 10073 port, it will result in a TCP handshake without a data payload.”

[Moose worm use the compromised devices to] “steal unencrypted network traffic and offer proxying services to the botnet operator,” “In practice, these capabilities are used to steal HTTP Cookies on popular social network sites and perform fraudulent actions such as non-legitimate “follows”, “views” and “likes” on such sites.” added ESET.

This particular worm, focus a lot of attention to social media websites, such YouTube, Facebook, Instagram and Twitter

Why the Social networks?

If you are a daily user of these social networking websites, you know that the more followers/friends you have, the more followers you can gain, since much more people will be seeing and sharing your posts/comments/videos.

This consideration is the pillar of a business model, where you can buy followers to get more attention and to make your product to reach a wide audience.

Be aware, paying this type of service means doing illegal activities, and its much likely that these people are making use of Moose-compromised routers to access their botnet to conduct social media fraud.

“If someone tries to register 2000 twitter accounts from his own IP address this will likely draw attention,” “To a social network site operator, there is probably nothing more reputable than an IP address behind a well-known ISP. Just the type of network where you can expect to find badly configured consumer routers.” states report.

The report says that Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, and Zhone can be exploited by the Moose worm, but until now there is no certainty if all of them are being targeted or not.

Infected devices search for other routers with an exposed Telnet management interface by randomly scan systems whose IP addresses are related to the ones of the infected device.

 “Combining these two techniques maximizes the chances of the router of finding new potential victims,””Once a device with a responding Telnet service is found, the malware attempts to bruteforce the username and password using a list of well-known default credentials that it received as part of its configuration. Once it [finds] a good username and password combination, the malware will fetch commands from a command and control server that will complete the infection by downloading an executable tailored to the infected platform and executing it.”

How to prevent your router from getting infected by Moose worm?

• Disable Telnet
• Use SSH
• Insure that device is not accessible from in internet on ports 22,23,80,443
• Update your router to the latest firmware
• If infected install the latest firmware

I think that malware like the Moose worm can become a serious threat for IoT devices, since all smart objects are always online and connected to peers.

It’s also important that router/device vendors give more importance to the security of their equipment ( as I said and other articles).

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs –  Moose worm, SOHO devices)