New Linux-Based Router Worm Used in Social Network Scheme

Researchers at ESET are shining the light on a new piece of malware compromising routers in a scheme to take fraudulent actions on social networks. 

Known as Moose, the worm spreads by compromising devices with weak or default credentials. Rather than forage for food in a forest like its namesake, the malware looks primarily for Linux-based consumer routers. In particular, it affects Linux-based embedded devices running on the MIPS and ARM architectures.

According to ESET, Moose can eavesdrop on communications to and from devices connected behind the infected router, and runs a comprehensive proxy service (SOCKS and HTTP) that can be accessed by a specific list of IP addresses. It can also be configured to reroute router DNS traffic to enable man-in-the-middle attacks.

“The compromised devices are used to steal unencrypted network traffic and offer proxying services to the botnet operator,” according to a whitepaper from ESET. “In practice, these capabilities are used to steal HTTP Cookies on popular social network sites and perform fraudulent actions such as non-legitimate “follows”, “views” and “likes” on such sites.”

Among the social networking sites focused on by the worm are Twitter, Facebook, Instagram and YouTube.

“The sad truth is that there are many individuals and companies out there who are keen to manipulate their social media standing, and have no qualms about hiring third-parties who claim to have methods to bump up the number of views of a corporate video, boost the followers on a Twitter feed or get you more Facebook fans,” blogged security expert Graham Cluley. “Often these third-parties will themselves contract the work out to other companies, and the danger is that one of these might – perhaps unwittingly – hire criminals with access to the botnet of Moose-compromised routers to conduct the social media fraud on their behalf.”

That these views or followers aren’t actually legitimate may go unnoticed or be swept under the rug by marketing teams looking to impress their bosses, he added.

Attempting to commit fraud on these sites requires a reputable and disposable IP address, the paper notes.

“If someone tries to register 2000 twitter accounts from his own IP address this will likely draw attention,” according to the report. “To a social network site operator, there is probably nothing more reputable than an IP address behind a well-known ISP. Just the type of network where you can expect to find badly configured consumer routers.”

According to ESET, Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, and Zhone devices are impacted by the worm, though it is not clear that all are being targeted.

Olivier Bilodeau, malware researcher at ESET and co-author of the whitepaper on Moose, said that the infected devices look for other routers exposing their Telnet management interface by both scanning randomly and using a pattern to find systems whose IP addresses are closely-related to the IP address of the infected device.

“Combining these two techniques maximizes the chances of the router of finding new potential victims,” he said. “Once a device with a responding Telnet service is found, the malware attempts to bruteforce the username and password using a list of well-known default credentials that it received as part of its configuration. Once it [finds] a good username and password combination, the malware will fetch commands from a command and control server that will complete the infection by downloading an executable tailored to the infected platform and executing it.”

ESET recommends router owners change the default passwords on network equipment even if it is not reachable from the Internet. In addition, disable the Telnet login and use SSH where possible. Router owners should also make sure their device is not accessible from the Internet on ports 22 (SSH), 23 (Telnet), 80 (HTTP) and 443 (HTTPS). If a device is infected, ESET recommends a firmware update or reinstall as well as a password change.