ESET
Uncovers New Threat Attacking Routers, Performing Fraud on Social Networks and
Stealing Network Traffic.
Linux/Moose is a malware
family primarily targeting Linux-based consumer routers, but is also known to infect
other Linux-based embedded systems. Once infected, the compromised devices are
used to steal unencrypted network traffic and offer proxying services for the
botnet operator. You can read more on this phenomenon in an in-depth security
research paper titled ‘Dissecting Linux/Moose’ now available on
WeLiveSecurity.com.
In practice, these malicious capabilities are used to steal HTTP cookies
to perform fraudulent actions on Facebook, Twitter, Instagram, YouTube and
other sites, which include generating non-legitimate "follows",
"views" and "likes."
“Linux/Moose is a novelty when you consider that most embedded threats
these days are used to perform DDoS attacks,” explains Olivier Bilodeau,
Malware Researcher at ESET.
What’s more, according to ESET researchers, this type of malware has the
capabilities to reroute DNS traffic, which enables man-in-the-middle attacks from across the Internet.
Moreover, the threat displays out-of-the-ordinary network penetration
capabilities compared to other router-based malware. Moose also has DNS
hijacking capabilities and will kill the processes of other malware families
competing for the limited resources offered by the infected embedded system.
“Considering the rudimentary techniques of Moose employed to gain access
to other devices, it seems unfortunate that the security of embedded devices
doesn’t seem to be taken more seriously by vendors. We hope that our efforts
will help to better understand how the malicious actors are targeting their
devices,” concludes Bilodeau.
Read more about Linux/Moose in a blogpost on
WeLiveSecurity.com. Also, check out an opinion piece by Graham Cluley: http://www.welivesecurity.com/2015/05/26/moose-router-worm.