A new worm targeting Linux routers is exploiting them not through a vulnerability per se, but rather by simply brute-forcing weak passwords, according to researchers at ESET. The malware, which researchers have dubbed Linux/Moose, could be used for a wide variety of purposes -- including DNS hijacking, DDoSing, and deep network penetration -- but so far attackers only seem to be using it for tame social networking fraud.
Moose intercepts unencrypted network traffic and its main payload is a generic proxy service. It could be adapted for all manner of nefarious activities. Yet so far, as far as researchers can tell, it's just been used to steal HTTP cookies on social network sites and then perform fraudulent activities. Nothing as sinister as blackmail or full-blown identity theft, mind you -- just fraudulent "likes," "follows," and creation of new accounts.
ESET researcher Olivier Bilodeau says that this confused the ESET team. "Why go through so much effort to get followers on Instagram?" he says.
Their theory now is that there is money to be made. Companies already pay marketing firms to pump up their social networking reach and activity; code like Moose could be a powerful tool in the hands of a marketing associate looking for an edge.
Moose's modus operandi wasn't the only thing that struck researchers as strange. It also doesn't have a persistence mechanism.
"What we think is, they don't need it," says Bilodeau. As he explains, the attackers must either find it very easy to regain access to a target router -- brute-forcing access from a static list of 300 username/password combinations -- or they achieve everything they want to so quickly that they have no need to return.
"It's kind of scary not to care about persistence," Bilodeau says.
Although Moose has been specifically targeting consumer Linux routers so far, it's still a concern for enterprises, Bilodeau says. One reason: home office workers may connect through poorly configured consumer routers. Also, Moose affects not just routers, but a host of other devices with embedded Linux systems -- and Moose-infected routers regularly scan for all those other Linux systems.
"It will scan every interface it has," says Bilodeau, "spread past the Internet into the intranet, which allows it to spread to places that are not usually reachable."
"What the operators could do," he says, "they know the source of the infection ... they could activate other kinds of [malicious] features."
It is difficult to tell how prevalent Moose is, and Bilodeau says the malware is built to make it that way. As ESET explains in the research report:
"There is no peer-to-peer protocol, [Moose] uses a hardcoded IP address instead of DNS for C&C, and even though the backdoor is listening on the Internet on port 10073 to offer its proxy service, only IP addresses in a whitelist are allowed to connect. Another reason for our lack of success is the lack of security tools ecosystems (like Anti-Virus) on embedded systems. Finally, the hosting providers where the C&C are located were relunctant to cooperate, which didn’t help."
Bilodeau says he received an email from one hosting provider this morning, so he is hopeful that ESET may be able to get a better idea of the prevalence of Linux/Moose soon.