Dissecting Linux/Moose

linux moose 1The Analysis of a Linux Router-based Worm Hungry for Social Networks

Today we are releasing a research paper about a malware family that primarily targets Linux-based consumer routers but that can infect other Linux-based embedded systems in its path: Dissecting Linux/Moose. This blog post will summarize a few elements of the full report.

linux moose 2

Linux/Moose is a standard Linux executable taking the form of a statically-linked ELF binary that was stripped of any debugging symbols. It relies heavily on multithreading for its operation, using as many as 36 threads. This malware can be classified as a worm since most of its threads are used in its attempt to find and infect other devices automatically. Here is a diagram that highlights Moose’s capabilities:

linux moose 3

Our monitoring of the botnet indicates that this threat is used to steal unencrypted HTTP Cookies on popular social network sites and perform fraudulent actions such as non-legitimate “follows” and “views” on the same sites via a SOCKS proxy server built into the malware.

The day username was seen in the tunnel

The day after

Here is an example we captured of an HTTP request going through the proxy operated by the malware:

linux moose 6

Notice how the server upgrades the connection to HTTPS right away. Almost all of the traffic is encrypted via HTTPS so we can’t state precisely what actions were performed by the operators.

We monitored an infected host for about a month and noticed traffic going to the following social network sites:

  • Fotki (Yandex)
  • Instagram (Facebook)
  • Live (Microsoft)
  • Soundcloud
  • Twitter
  • Vine
  • Yahoo
  • Youtube (Google)

We were able to ascertain the domain of the targeted social network using the certificate’s subject field of the TLS handshake of the HTTPS traffic.

Here are the requests going daily to social network sites from a single infected router:

linux moose 7

Below is depicted which social networks were the most targeted during that interval:

linux moose 8

During our analysis we often asked ourselves, “Why so much effort in order to interact with social networks?” But of course there is a market for follows, likes, views and whatnot. The operators of this botnet are generating revenue by performing social network fraud. The consumer routers under attack provide a means to proxy malicious traffic from the operators through to the social network sites leveraging highly reputable Internet Service Providers’ (ISPs) IP addresses.

The threat displays out-of-the-ordinary network penetration capabilities compared to other router-based malware. Moose also has DNS hijacking capabilities and will kill the processes of other malware families competing for the limited resources offered by the infected embedded system. More details are available in the report, including details about the network protocol used to communicate with the Command and Control servers (C&C).

Research Code, Indicators of Compromise (IoCs) and More

Along with our whitepaper, we are releasing some resources to the community. First, we have decided to release on our malware-research github repository all the code we’ve developed in order to monitor this threat. We think that there is little value in keeping these scripts to ourselves. The tradeoff here is that this is code that was produced from a research lab and it isn’t as polished as the code that ends up in our finished products. We hope that our peers in the industry, the Linux embedded community, and future malware analysts will get value out of it.

Second, we are looking for help in confirming which vendors and models are affected. We provide instructions on how to confirm whether Linux/Moose could infect your own devices. We will keep this list of affected vendors updated.

Finally, Indicators of Compromise (IoCs) are also available. They include all hardcoded C&C IP addresses, the current list of dynamic C&C IP addresses, instructions on how to confirm infection, the hashes of malicious files, and Yara rules. Instructions are also provided if you want to verify whether some arbitrary files are Linux/Moose binaries.


Reboot the affected device then change its password as soon as possible. Keep in mind, however, that the compromised system was accessible via credentials that the operators knew, that they were aware of its IP address and they had means to access its interactive console. They might have had manual access, which means that further infection is possible, including permanent firmware modifications (the link is in German). A factory reset, firmware update or reinstall and password change is probably best.


Change default passwords on network equipment even if it is not reachable from the Internet. Disable Telnet login and use SSH where possible.

Make sure that your router is not accessible from the Internet on ports 22 (SSH), 23 (Telnet), 80 (HTTP) and 443 (HTTPS). If you are unsure about how to perform this test, when you are at home, use the “common ports” scan from the ShieldsUP service from GRC.com. Make sure that the ports mentioned above receive a Stealth or Closed status.

Running the latest firmware available from your embedded device vendor is also recommended.

The white paper with all the technical details is available for download on WeLiveSecurity.

by Olivier Bilodeau, ESET

Moose – the router worm with an appetite for social networks

ESET researchers have issued a technical paper today, analysing a new worm that is infecting routers in order to commit social networking fraud, hijacking victims’ internet connections in order to “like” posts and pages, “view” videos and “follow” other accounts.

The malware, dubbed Linux/Moose by researchers Olivier Bilodeau and Thomas Dupuy, infects Linux-based routers and other Linux-based devices, eradicating existing malware infections it might find competing for the router’s limited resources, and automatically finding other routers to infect.

Instagram account

However, the Moose worm does not rely upon amy underlying vulnerability in the routers – it is simply taking advantage of devices that have been weakly configured with poorly chosen login credentials.

Unfortunately, this means that devices other than routers can be impacted by the worm in the form of accidental collateral damage. ESET’s team believes that even medical devices, such as the Hospira drug infusion pump, could be infected by the Linux/Moose worm.

But the principal victims are likely to be routers – with devices from Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, and Zhone already identified as vulnerable.

ESET’s detailed technical report provides an indepth analysis of the Moose worm, methods by which users can determine if they might have had their routers compromised, and cleaning instructions. Importantly, the technical report provides prevention advice to avoid reinfection.

Perhaps most interesting of all, however, is to try to understand the purpose of the Moose worm.

In their investigation, ESET’s team observed the worm creating bogus accounts on sites such as Instagram, and automatically following users. In many cases the rise in followers was carefully staggered over some days, seemingly to avoid raising alarms in automated systems built by the social networks to identify suspicious behaviour.

The sad truth is that there are many individuals and companies out there who are keen to manipulate their social media standing, and have no qualms about hiring third-parties who claim to have methods to bump up the number of views of a corporate video, boost the followers on a Twitter feed or get you more Facebook fans.

Often these third-parties will themselves contract the work out to other companies, and the danger is that one of these might – perhaps unwittingly – hire criminals with access to the botnet of Moose-compromised routers to conduct the social media fraud on their behalf.

The fact that these aren’t *real* fans, or *real* views of the video is likely to go unnoticed or be swept under the carpet by marketing teams keen to impress their bosses.

As well as social networking fraud, ESET’s paper considers that the malware could potentially be used for other activities – such as distributed denial-of-service attacks, targeted network exploration (where it works hard to dig deep past firewalls) and eavesdropping and DNS hijacking (which could lead itself to phishing and further malware attacks).

Once again, consumers are advised to be on their guard, ensure that they install the latest security patches and never use default or easy-to-crack passwords on their internet-connected devices.

For much more information about the threat, and how to protect yourself against it, read the technical paper from ESET’s team of experts: “Dissecting Linux/Moose”.

by Graham Cluley, We Live Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s