Moose – the router worm with an appetite for social networks

ESET researchers have issued a technical paper today, analyzing a new worm that is infecting routers in order to commit social networking fraud, hijacking victims’ internet connections in order to “like” posts and pages, “view” videos and “follow” other accounts.

The malware, dubbed Linux/Moose by researchers Olivier Bilodeau and Thomas Dupuy, infects Linux-based routers and other Linux-based devices, eradicating existing malware infections it might find competing for the router’s limited resources, and automatically finding other routers to infect.

Moose diagram

However, the Moose worm does not rely upon any underlying vulnerability in the routers – it is simply taking advantage of devices that have been weakly configured with poorly chosen login credentials.

Unfortunately, this means that devices other than routers can be impacted by the worm in the form of accidental collateral damage. ESET’s team believes that even medical devices, such as the Hospira drug infusion pump, could be infected by the Linux/Moose worm.

But the principal victims are likely to be routers – with devices from Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, and Zhone already identified as vulnerable.

ESET’s detailed technical report provides an indepth analysis of the Moose worm, methods by which users can determine if they might have had their routers compromised, and cleaning instructions. Importantly, the technical report provides prevention advice to avoid reinfection.

Perhaps most interesting of all, however, is to try to understand the purpose of the Moose worm.

In their investigation, ESET’s team observed the worm creating bogus accounts on sites such as Instagram, and automatically following users. In many cases the rise in followers was carefully staggered over some days, seemingly to avoid raising alarms in automated systems built by the social networks to identify suspicious behavior.

Instagram account

The sad truth is that there are many individuals and companies out there who are keen to manipulate their social media standing, and have no qualms about hiring third-parties who claim to have methods to bump up the number of views of a corporate video, boost the followers on a Twitter feed or get you more Facebook fans.

Often these third-parties will themselves contract the work out to other companies, and the danger is that one of these might – perhaps unwittingly – hire criminals with access to the botnet of Moose-compromised routers to conduct the social media fraud on their behalf.

The fact that these aren’t *real* fans, or *real* views of the video is likely to go unnoticed or be swept under the carpet by marketing teams keen to impress their bosses.

As well as social networking fraud, ESET’s paper considers that the malware could potentially be used for other activities – such as distributed denial-of-service attacks, targeted network exploration (where it works hard to dig deep past firewalls) and eavesdropping and DNS hijacking (which could lead itself to phishing and further malware attacks).

Once again, consumers are advised to be on their guard, ensure that they install the latest security patches and never use default or easy-to-crack passwords on their internet-connected devices.

For much more information about the threat, and how to protect yourself against it, read the technical paper from ESET’s team of experts: “Dissecting Linux/Moose”.

Author Graham Cluley, We Live Security

  • Coyote

    Just to the editor as such, there’s a one letter typo. Easy enough to miss except for those like me (even when quickly glancing at it like I did). Whether to fix it or not isn’t up to me. But just in case:

    “… worm does not rely upon amy underlying vulnerability
    in the routers”
    (note ‘amy’ instead of ‘any’).

    • Thanks. I’m not the editor either, but I’ve corrected that. I don’t know when the change will show up, though.

      • Coyote

        Thanks. I don’t know if editor is the right word but the fact you’ve corrected it means you might as well be (I certainly wasn’t thinking of the author, though) for the intent of my message.

  • satxGUY123

    “However, the Moose worm does not rely upon amy underlying vulnerability in the routers”

    Who the fak is ‘amy’? lol

    • Coyote

      $ grep -cH amy /etc/passwd


      Seems to me it is a user I had no idea was on any of any of my systems. Better check to see if I was compromised… Or not. Obviously that is contrived. It is also irrelevant to the over all meaning of the article. As is (or is that ‘was’ ?) ‘amy’ – it was a typo and nothing else.

  • Radiq

    I thought Hik Vision only manufactures security cameras and that Synology only manufactures NAS devices, not routers?

  • Guest

    “it is simply taking advantage of devices that have been weakly configured with poorly chosen login credentials.”

    So the answer is the same as every time: get a good password.

  • bradindvr

    I understand that it gets in by the following:
    1. User name on the modem “Admin”
    2. Tries default PW and multiple possible passwords.
    So, be sure you always change user name from “admin” to something else.
    Use a random password of max allowed length (15 on Actiontec).

Follow us

Copyright © 2018 ESET, All Rights Reserved.