Social Networks: Moose on the Loose

Thursday, May 28, 2015 @ 04:05 PM gHale

With social media having a stronger presence in the work environment, word has come out there is new malware capable of compromising routers to take fraudulent actions on social networks, researchers said.

Known as Moose, the worm spreads by compromising devices with weak or default credentials, said researchers at ESET.

PuTTY Malware Steals Credentials
Apache Fixes Security Manager Hole
Cisco Video Conference Vulnerabilities
Malware Delivers Trojan to Enterprises

The malware looks primarily for Linux-based consumer routers. In particular, it affects Linux-based embedded devices running on the MIPS and ARM architectures.

Moose can eavesdrop on communications to and from devices connected behind the infected router, and runs a comprehensive proxy service (SOCKS and HTTP) that can end up accessed by a specific list of IP addresses, ESET researchers said. It can also end up configured to reroute router DNS traffic to enable man-in-the-middle attacks.

“The compromised devices are used to steal unencrypted network traffic and offer proxying services to the botnet operator,” said a whitepaper from ESET. “In practice, these capabilities are used to steal HTTP Cookies on popular social network sites and perform fraudulent actions such as non-legitimate ‘follows,’ ‘views’ and ‘likes’ on such sites.”

Among the social networking sites focused on are Twitter, Facebook, Instagram and YouTube.

“The sad truth is that there are many individuals and companies out there who are keen to manipulate their social media standing, and have no qualms about hiring third-parties who claim to have methods to bump up the number of views of a corporate video, boost the followers on a Twitter feed or get you more Facebook fans,” blogged researcher Graham Cluley. “Often these third-parties will themselves contract the work out to other companies, and the danger is that one of these might — perhaps unwittingly — hire criminals with access to the botnet of Moose-compromised routers to conduct the social media fraud on their behalf.”

“If someone tries to register 2000 twitter accounts from his own IP address this will likely draw attention,” the report said. “To a social network site operator, there is probably nothing more reputable than an IP address behind a well-known ISP. Just the type of network where you can expect to find badly configured consumer routers.”

Olivier Bilodeau, malware researcher at ESET and co-author of the whitepaper on Moose, said the infected devices look for other routers exposing their Telnet management interface by scanning randomly and using a pattern to find systems whose IP addresses closely-relate to the IP address of the infected device.

“Combining these two techniques maximizes the chances of the router of finding new potential victims,” he said. “Once a device with a responding Telnet service is found, the malware attempts to brute force the username and password using a list of well-known default credentials that it received as part of its configuration. Once it [finds] a good username and password combination, the malware will fetch commands from a command and control server that will complete the infection by downloading an executable tailored to the infected platform and executing it.”

ESET recommends router owners change the default passwords on network equipment even if it is not reachable from the Internet. In addition, disable the Telnet login and use SSH where possible.

Router owners should also make sure their device is not accessible from the Internet on ports 22 (SSH), 23 (Telnet), 80 (HTTP) and 443 (HTTPS), the researchers said.

Click here to download the paper.

Leave a Reply

You must be logged in to post a comment.