Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/27/2015
02:45 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Moose Malware Uses Linux Routers For Social Network Fraud

Linux/Moose is sophisticated enough to do DNS hijacks, DDoSes, and deep network penetration...so why is it wasting its time on Instagram?

A new worm targeting Linux routers is exploiting them not through a vulnerability per se, but rather by simply brute-forcing weak passwords, according to researchers at ESET. The malware, which researchers have dubbed Linux/Moose, could be used for a wide variety of purposes -- including DNS hijacking, DDoSing, and deep network penetration -- but so far attackers only seem to be using it for tame social networking fraud.

Moose intercepts unencrypted network traffic and its main payload is a generic proxy service. It could be adapted for all manner of nefarious activities. Yet so far, as far as researchers can tell, it's just been used to steal HTTP cookies on social network sites and then perform fraudulent activities. Nothing as sinister as blackmail or full-blown identity theft, mind you -- just fraudulent "likes," "follows," and creation of new accounts.

ESET researcher Olivier Bilodeau says that this confused the ESET team. "Why go through so much effort to get followers on Instagram?" he says.

Their theory now is that there is money to be made. Companies already pay marketing firms to pump up their social networking reach and activity; code like Moose could be a powerful tool in the hands of a marketing associate looking for an edge.

Moose's modus operandi wasn't the only thing that struck researchers as strange. It also doesn't have a persistence mechanism.

"What we think is, they don't need it," says Bilodeau. As he explains, the attackers must either find it very easy to regain access to a target router -- brute-forcing access from a static list of 300 username/password combinations -- or they achieve everything they want to so quickly that they have no need to return.

"It's kind of scary not to care about persistence," Bilodeau says.

Although Moose has been specifically targeting consumer Linux routers so far, it's still a concern for enterprises, Bilodeau says. One reason: home office workers may connect through poorly configured consumer routers. Also, Moose affects not just routers, but a host of other devices with embedded Linux systems -- and Moose-infected routers regularly scan for all those other Linux systems.

"It will scan every interface it has," says Bilodeau, "spread past the Internet into the intranet, which allows it to spread to places that are not usually reachable."

"What the operators could do," he says, "they know the source of the infection ... they could activate other kinds of [malicious] features."

It is difficult to tell how prevalent Moose is, and Bilodeau says the malware is built to make it that way. As ESET explains in the research report:

"There is no peer-to-peer protocol, [Moose] uses a hardcoded IP address instead of DNS for C&C, and even though the backdoor is listening on the Internet on port 10073 to offer its proxy service, only IP addresses in a whitelist are allowed to connect. Another reason for our lack of success is the lack of security tools ecosystems (like Anti-Virus) on embedded systems. Finally, the hosting providers where the C&C are located were relunctant to cooperate, which didn’t help."

Bilodeau says he received an email from one hosting provider this morning, so he is hopeful that ESET may be able to get a better idea of the prevalence of Linux/Moose soon. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/31/2015 | 11:23:01 PM
Re: Dissecting Moose
@Sara: At the very least, enterprises should acknowledge and accept that many routers and whatnot do not have default password changing as part of the wizard -- and make forced default password changing part of its own IT systems.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/31/2015 | 11:21:42 PM
Re: Dissecting Moose
@Dr.T: Indeed.  You could have the finest security measures in your platform in existence -- but if your users are failing to do basic things, then no amount of enhanced security can help you.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/31/2015 | 11:20:02 PM
Re: Dissecting Moose
Worth mentioning, of course, that the Linux kernel had more vulnerabilities discovered in it in 2014 than any other OS -- except Apple's (OSX and iOS), the other company with a Microsoft-bashing fandom.  ;)

( see, e.g., www.informationweek.com/ios-security-reports-say-no-iphone-is-safe/a/d-id/1319750 )

Of course, "vulnerabilities discovered" is different from "vulnerabilities that exist," but it's a point worth mentioning nonetheless.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
5/29/2015 | 5:36:31 PM
Re: Dissecting Moose
@Sara Peters - As @ColinC34 was quick to point out, this is about brute force attacks to gain entry, and not necessarily a Linux-specific vulnerability.  So, no, I don't think you're oversimplifying it at all.  Sometimes security is simple - you either put solid password management into practice, or you fall victim.  Regardless the system you're on.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
5/29/2015 | 5:32:59 PM
Re: Dissecting Moose
@ColinC34 Yes, which is why I noted " InfoSec is about more than the desktop and a minor difference in architecture" - I think the irony is more to the point that as secure as one system may be over another, InfoSec can't be simplified on that point :-)  And, yes, I'm writing this from my Debian GNU/Linux system for a reason!
nFrontSecurity
50%
50%
nFrontSecurity,
User Rank: Apprentice
5/29/2015 | 12:23:34 PM
Re: Dissecting Moose
Sara. 

The password issues is our specialty, check us out to see if we would be a good fit,  the trial download is FREE!!!

nFront Security!! 

 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
5/29/2015 | 9:54:51 AM
Re: Dissecting Moose
The default password thing really is getting out of hand. Couldn't changing the password be a mandatory part of the configuration process? Something like a consumer router is likely going to configured by a regular user via a set-up wizard. Just make changing the password part of that wizard. Am I oversimplifying this or missing the point or something?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/28/2015 | 2:28:07 PM
Anti-virus in a router?
Let's try this. Next thing they will suggest is to but more resources to cover the overhead in the router. Packet inspection is already available, I do not think we are in lack of tool, what we are lacking is a strategy to deal with the security in most cases.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/28/2015 | 2:24:44 PM
Re: Dissecting Moose
I hear you, I would still consider weak password is a security hole in OS tough. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/28/2015 | 2:23:33 PM
Re: Dissecting Moose
Linux may still be better system to prevent from attacks then windows because of architectural and how processes run. You do not expect any process would take over a resource and crash whole system down in Linux/Unix world. That is still not the case in Windows.
Page 1 / 2   >   >>
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-0532
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177
CVE-2021-0533
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185193932
CVE-2021-26461
PUBLISHED: 2021-06-21
Apache Nuttx Versions prior to 10.1.0 are vulnerable to integer wrap-around in functions malloc, realloc and memalign. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.
CVE-2021-0478
PUBLISHED: 2021-06-21
In updateDrawable of StatusBarIconView.java, there is a possible permission bypass due to an uncaught exception. This could lead to local escalation of privilege by running foreground services without notifying the user, with User execution privileges needed. User interaction is not needed for explo...
CVE-2021-0504
PUBLISHED: 2021-06-21
In avrc_pars_browse_rsp of avrc_pars_ct.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: ...