[ALUG] And another malware attacking routers: Dissecting Linux/Moose

Joseph Joachim jjjkimaro90 at gmail.com
Wed Jun 3 08:53:10 EAT 2015 

Hello
   I hope your doing fine. can you kindly unsubscribe from mail list i
don't want to receive this emails.
Thanks
Joseph

On Wed, May 27, 2015 at 5:11 PM, Andreas Tauscher via Linux <
linux at lists.habari.co.tz> wrote:

> This one is attacking ARM or MIPS based routers with Linux as OS:
> Dissecting Linux/Moose
> http://www.welivesecurity.com/2015/05/26/dissecting-linuxmoose/
>
> Access to the router is got with a brute force attack testing passwords.
>
> Once they got access to the router the male-ware (a ELF binary) is
> uploaded.
> Several threads are started. Most of them are scanning for other devices
> within the network and outside to infect them also.
>
> This maleware is a social network fan. It is creating fake likes, views
> and follows at: Fotki (Yandex), Instagram (Facebook), Live (Microsoft),
> Soundcloud, Twitter, Vine, Yahoo, Youtube (Google)
> But once on the router it can do anything. Traffic redirect, stealing
> unencrypted session cookies, passwords, manipulate traffic like for
> example injecting other male-ware into http traffic and and and......
>
> A quick check if your router is infected:
> Port 10073 is open.
> On the router you find a binary named elan2
> A process elan2 is running.
>
> At https://github.com/eset/malware-ioc/tree/master/moose you find also a
> list of IP addresses. If you detect traffic on port 10073 to this
> addresses a device within the net might be infected.
>
> Protection: Disabling any remote access, a strong password and a login
> name which is not one of the first tried: root, admin, administrator.
>
> If the router is infected: Hard resetting the router and reinstalling
> the firmware. A update might not be enough since the update might
> upgrade only singe binaries but not overwriting the entire memory.
>
> Andreas
>
>
>
> _______________________________________________
> The Arusha Linux User Group: http://unix.or.tz
> Linux mailing list
> Linux at lists.habari.co.tz
> http://lists.habari.co.tz/cgi-bin/mailman/listinfo/linux
>
> The Arusha LUG mailing list is generously hosted by Habari Node Ltd:
> http://www.habari.co.tz/
>
> The above comments and data are owned by whoever posted them (including
> attachments if any). The mailing list host is not responsible for them in
> any way.
>



-- 
*Mr.Joseph Joachim Joseph*
*Title:*ICT-support
Organization:RTI-International
Seconded:Ministry of Health and Social Welfare
Proffessional:Bsc in Computer Science
Contacts:+255788442657  , Skype:joseph.joseph.j
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20150603/3451c976/attachment.html>

More information about the Linux mailing list