Perimeter

5/27/2015
02:45 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Moose Malware Uses Linux Routers For Social Network Fraud

Linux/Moose is sophisticated enough to do DNS hijacks, DDoSes, and deep network penetration...so why is it wasting its time on Instagram?

A new worm targeting Linux routers is exploiting them not through a vulnerability per se, but rather by simply brute-forcing weak passwords, according to researchers at ESET. The malware, which researchers have dubbed Linux/Moose, could be used for a wide variety of purposes -- including DNS hijacking, DDoSing, and deep network penetration -- but so far attackers only seem to be using it for tame social networking fraud.

Moose intercepts unencrypted network traffic and its main payload is a generic proxy service. It could be adapted for all manner of nefarious activities. Yet so far, as far as researchers can tell, it's just been used to steal HTTP cookies on social network sites and then perform fraudulent activities. Nothing as sinister as blackmail or full-blown identity theft, mind you -- just fraudulent "likes," "follows," and creation of new accounts.

ESET researcher Olivier Bilodeau says that this confused the ESET team. "Why go through so much effort to get followers on Instagram?" he says.

Their theory now is that there is money to be made. Companies already pay marketing firms to pump up their social networking reach and activity; code like Moose could be a powerful tool in the hands of a marketing associate looking for an edge.

Moose's modus operandi wasn't the only thing that struck researchers as strange. It also doesn't have a persistence mechanism.

"What we think is, they don't need it," says Bilodeau. As he explains, the attackers must either find it very easy to regain access to a target router -- brute-forcing access from a static list of 300 username/password combinations -- or they achieve everything they want to so quickly that they have no need to return.

"It's kind of scary not to care about persistence," Bilodeau says.

Although Moose has been specifically targeting consumer Linux routers so far, it's still a concern for enterprises, Bilodeau says. One reason: home office workers may connect through poorly configured consumer routers. Also, Moose affects not just routers, but a host of other devices with embedded Linux systems -- and Moose-infected routers regularly scan for all those other Linux systems.

"It will scan every interface it has," says Bilodeau, "spread past the Internet into the intranet, which allows it to spread to places that are not usually reachable."

"What the operators could do," he says, "they know the source of the infection ... they could activate other kinds of [malicious] features."

It is difficult to tell how prevalent Moose is, and Bilodeau says the malware is built to make it that way. As ESET explains in the research report:

"There is no peer-to-peer protocol, [Moose] uses a hardcoded IP address instead of DNS for C&C, and even though the backdoor is listening on the Internet on port 10073 to offer its proxy service, only IP addresses in a whitelist are allowed to connect. Another reason for our lack of success is the lack of security tools ecosystems (like Anti-Virus) on embedded systems. Finally, the hosting providers where the C&C are located were relunctant to cooperate, which didn’t help."

Bilodeau says he received an email from one hosting provider this morning, so he is hopeful that ESET may be able to get a better idea of the prevalence of Linux/Moose soon. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/31/2015 | 11:23:01 PM
Re: Dissecting Moose
@Sara: At the very least, enterprises should acknowledge and accept that many routers and whatnot do not have default password changing as part of the wizard -- and make forced default password changing part of its own IT systems.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/31/2015 | 11:21:42 PM
Re: Dissecting Moose
@Dr.T: Indeed.  You could have the finest security measures in your platform in existence -- but if your users are failing to do basic things, then no amount of enhanced security can help you.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/31/2015 | 11:20:02 PM
Re: Dissecting Moose
Worth mentioning, of course, that the Linux kernel had more vulnerabilities discovered in it in 2014 than any other OS -- except Apple's (OSX and iOS), the other company with a Microsoft-bashing fandom.  ;)

( see, e.g., www.informationweek.com/ios-security-reports-say-no-iphone-is-safe/a/d-id/1319750 )

Of course, "vulnerabilities discovered" is different from "vulnerabilities that exist," but it's a point worth mentioning nonetheless.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/29/2015 | 5:36:31 PM
Re: Dissecting Moose
@Sara Peters - As @ColinC34 was quick to point out, this is about brute force attacks to gain entry, and not necessarily a Linux-specific vulnerability.  So, no, I don't think you're oversimplifying it at all.  Sometimes security is simple - you either put solid password management into practice, or you fall victim.  Regardless the system you're on.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/29/2015 | 5:32:59 PM
Re: Dissecting Moose
@ColinC34 Yes, which is why I noted " InfoSec is about more than the desktop and a minor difference in architecture" - I think the irony is more to the point that as secure as one system may be over another, InfoSec can't be simplified on that point :-)  And, yes, I'm writing this from my Debian GNU/Linux system for a reason!
nFrontSecurity
50%
50%
nFrontSecurity,
User Rank: Apprentice
5/29/2015 | 12:23:34 PM
Re: Dissecting Moose
Sara. 

The password issues is our specialty, check us out to see if we would be a good fit,  the trial download is FREE!!!

nFront Security!! 

 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
5/29/2015 | 9:54:51 AM
Re: Dissecting Moose
The default password thing really is getting out of hand. Couldn't changing the password be a mandatory part of the configuration process? Something like a consumer router is likely going to configured by a regular user via a set-up wizard. Just make changing the password part of that wizard. Am I oversimplifying this or missing the point or something?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/28/2015 | 2:28:07 PM
Anti-virus in a router?
Let's try this. Next thing they will suggest is to but more resources to cover the overhead in the router. Packet inspection is already available, I do not think we are in lack of tool, what we are lacking is a strategy to deal with the security in most cases.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/28/2015 | 2:24:44 PM
Re: Dissecting Moose
I hear you, I would still consider weak password is a security hole in OS tough. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/28/2015 | 2:23:33 PM
Re: Dissecting Moose
Linux may still be better system to prevent from attacks then windows because of architectural and how processes run. You do not expect any process would take over a resource and crash whole system down in Linux/Unix world. That is still not the case in Windows.
Page 1 / 2   >   >>
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.