Thanks to default passwords, Moose malware may infect Linux-based routers near you soon

Moose malware is infecting Linux-based embedded devices that use default passwords.

Moose malware
Credit: Samantha Marx

ESET researchers have identified new malware that is infecting routers in order to pull off social networking fraud by "hijacking victims' internet connections in order to 'like' posts and pages, 'view' videos and 'follow' other accounts," according to a We Live Security blog post.

Moose malware infects Linux-based routers and other Linux-based embedded devices running on the MIPS and ARM architectures to infect Linux-based embedded systems in its path. The name may seem sort of silly, but apparently the threat it represents is not.

silly moose kuhnmi

"Compromised devices are used to steal unencrypted network traffic and offer proxying services to the botnet operator" in order to perform fraud on popular social networking sites such as YouTube (Google), Instagram (Facebook), Live (Microsoft), Twitter, Yahoo, Vine, Soundcloud, and Fotki (Yandex). Although the top three targets are Twitter, Instagram, and Soundcloud, ESET included graphics to show other Moose targets for social networking fraud.

Linux Moose targets for social networking fraud ESET

Moose malware does not exploit vulnerabilities to compromise devices; it instead targets devices that use default login credentials. From there, it scans for other devices on the network that can it can infect. ESET believes that means "that devices other than routers can be impacted by the worm in the form of accidental collateral damage."

According to analysis (pdf) by ESET researchers Olivier Bilodeau and Thomas Dupuy:

The threat displays out-of-the-ordinary network penetration capabilities compared to other router-based malware. Moose also has DNS hijacking capabilities and will kill the processes of other malware families competing for the limited resources offered by the infected embedded system.

Other key findings include:

  • Linux/Moose targets consumer routers and modems including the hardware provided by Internet Service Providers (ISPs) to consumers.
  • The threat is built for deep network penetration spreading past firewalls.
  • It can eavesdrop on communications to and from devices connected behind the infected router, including desktops, laptops and mobile phones.
  • Moose can be configured to reroute router DNS traffic, which enables man-in-the-middle attacks from across the Internet.
  • Moose runs a comprehensive proxy service (SOCKS and HTTP) that can be accessed only by a specific list of IP addresses.
Linux Moose malware ESET

After discussing the aggressiveness of Moose, ESET researchers said they asked "Rapid7 to scan the Internet on both port 10073 and 23 (Telnet) in order to get a sense of how many Internet-facing devices listen on both ports. It turns out about 1 million IP address fit that description." That was narrowed down to 50,000 potentially infected hosts after removing devices that had no Telnet banner. They added, "All of these indicators taken together, while only educated guesses, leads us to think that this threat is real and should be taken seriously."

Moose Infection Mechanism ESET

Devices affected by Moose malware

Listed among the devices affected by Moose was Hikvision, which released new firmware it dubbed a "security enhancement" since it adds alerts to change the default password. You may recall that Hikvision DVRs were listed among the 73,000 unsecured security cams that anyone could watch thanks to users using the default password that came with the device.

Besides Hikvision, ESET said Actiontec, Netgear, Synology, TP-Link, ZyXEL and Zhone are among the confirmed vendors. Of those, Netgear, TP-Link Technologies and ZyXEL Communications were also vulnerable to the recently revealed attacks that hijack routers through users' browsers.

Citing recent security research, ESET said in "Dissecting Linux/Moose" (pdf), "We have enough evidence to state that even medical devices like the Hospira Drug Infusion Pump could be infected with Linux/Moose."

Furthermore, ESET has cross-referenced the "giant list of default passwords" and usernames that Moose uses in order to spread with a list of vendors that have those default credentials as well as Telnet access enabled. Current Moose versions need some good-old Unix-type shell access in order to infect a machine where it successfully logged in. ESET researchers would appreciate some crowd-source help in order to compose an accurate list of all targeted vendors from the large list of potentially targeted vendors which the company put on GitHub.

ESET considers the following to be potentially targeted vendors:

Network Equipment Vendors : 3Com, Alcatel-Lucent, Allied Telesis, Avaya, Belkin, Brocade, Buffalo, Celerity, Cisco, D-link, Enterasys, Hewlett-Packard, Huawei, Linksys, Mikrotik, Netgear, Meridian, Nortel, SpeedStream, Thomson, TP-Link, Zhone, ZyXEL

Appliances Vendors: APC, Brother, Konica/Minolta, Kyocera, Microplex, Ricoh, Toshiba, Xerox

Internet of Things Vendors: Hikvision, Leviton

A much larger list contains vendors using default credentials, but the researchers need to know if they have Telnet access enabled by default and if you can login with the weak default credentials via Telnet:

Ericsson, F5 Networks, Fortinet, Siemens, LSI Corporation, Maxim Integrated, Accelerated Network, Quantum, Advantek, Airtel, AirTies, Radware, Ubee Interactive, AOC, Applied Innovations, Arescom, ARtem, Asante, Ascend, ATL, Atlantis, AVM, Avocent, Axis, Aztech, Bay Networks, Bintec, BMC, Broadlogic, Canyon, Cellit, Ciphertrust, CNet, Compaq, Comtrend, Conceptronic, Conexant, Corecess, CTC Union, Cyclades, Davox, Demarc, Digicom, Draytek, Dynalink, E-Con, Efficient, Everfocus, Flowpoint, Gericom, IBM, iDirect, Inchon, Infacta, Infoblox, INOVA, Interbase, Intermec, Intracom, JD Edwards, Kasda, KTI, Lantronix, Laxo, LG, Livingston, Marconi, McAfee, McData, Mentec, Micronet, Milan, Motorola, Mro software, Netopia, Netport, Netscreen, Netstar, Niksun, Nokia, NOMADIX, Olitec(trendchip), OpenConnect, Osicom, Overland, Ovislink, Pansonic, Phoenix, Pirelli, Planet, Ptcl, QLogic, Quintum Technologies, RM, RoamAbout, Sagem, Samsung, Server TechnologyPower, Sharp, Signamax, Siips, Silex Technology, Simple Smdr, Sitecom, Smartswitch, SMC, Sonic-X, Spectra Logic, SpeedXess, Sphairon, SSA, Stratacom, Swissvoice, Symbol, System/32, Tandem, Telewell, Telindus, Tellabs, Topsec, Troy, TVT System, U.S. Robotics, Unisys, VASCO, VxWorks, Wang, Weidmüeller, Westell, X-Micro, xd, Xylan, Xyplex, Zebra, ZTE

Linux/Moose has no persistence mechanism and does not provide a generic backdoor
shell access to the botnet operator; it depends upon poor security such as using default credentials. The researchers concluded, "Considering the rudimentary techniques used by Moose in order to gain access to other devices, it is unfortunate that the security of embedded devices isn't taken more seriously by vendors."

Amen to that.

More information is available here, on GitHub and in the detailed technical paper "Dissecting Linux/Moose" (pdf).

Cybersecurity market research: Top 15 statistics for 2017