[ALUG] And another malware attacking routers: Dissecting Linux/Moose
Hamisi Jabe
administrator at banana.co.tz
Wed Jun 3 08:56:08 EAT 2015
You can unsubscribe yourself using the below link
http://lists.habari.co.tz/cgi-bin/mailman/listinfo/linux
On 03/06/2015 08:53 asubuhi, Joseph Joachim via Linux wrote:
> Hello
> I hope your doing fine. can you kindly unsubscribe from mail list i
> don't want to receive this emails.
> Thanks
> Joseph
>
> On Wed, May 27, 2015 at 5:11 PM, Andreas Tauscher via Linux
> <linux at lists.habari.co.tz <mailto:linux at lists.habari.co.tz>> wrote:
>
> This one is attacking ARM or MIPS based routers with Linux as OS:
> Dissecting Linux/Moose
> http://www.welivesecurity.com/2015/05/26/dissecting-linuxmoose/
>
> Access to the router is got with a brute force attack testing
> passwords.
>
> Once they got access to the router the male-ware (a ELF binary) is
> uploaded.
> Several threads are started. Most of them are scanning for other
> devices
> within the network and outside to infect them also.
>
> This maleware is a social network fan. It is creating fake likes,
> views
> and follows at: Fotki (Yandex), Instagram (Facebook), Live
> (Microsoft),
> Soundcloud, Twitter, Vine, Yahoo, Youtube (Google)
> But once on the router it can do anything. Traffic redirect, stealing
> unencrypted session cookies, passwords, manipulate traffic like for
> example injecting other male-ware into http traffic and and and......
>
> A quick check if your router is infected:
> Port 10073 is open.
> On the router you find a binary named elan2
> A process elan2 is running.
>
> At https://github.com/eset/malware-ioc/tree/master/moose you find
> also a
> list of IP addresses. If you detect traffic on port 10073 to this
> addresses a device within the net might be infected.
>
> Protection: Disabling any remote access, a strong password and a login
> name which is not one of the first tried: root, admin, administrator.
>
> If the router is infected: Hard resetting the router and reinstalling
> the firmware. A update might not be enough since the update might
> upgrade only singe binaries but not overwriting the entire memory.
>
> Andreas
>
>
>
> _______________________________________________
> The Arusha Linux User Group: http://unix.or.tz
> Linux mailing list
> Linux at lists.habari.co.tz <mailto:Linux at lists.habari.co.tz>
> http://lists.habari.co.tz/cgi-bin/mailman/listinfo/linux
>
> The Arusha LUG mailing list is generously hosted by Habari Node
> Ltd: http://www.habari.co.tz/
>
> The above comments and data are owned by whoever posted them
> (including attachments if any). The mailing list host is not
> responsible for them in any way.
>
>
>
>
> --
> *Mr.Joseph Joachim Joseph*
> *Title:*ICT-support
> Organization:RTI-International
> Seconded:Ministry of Health and Social Welfare
> Proffessional:Bsc in Computer Science
> Contacts:+255788442657 , Skype:joseph.joseph.j
>
>
>
>
>
>
> _______________________________________________
> The Arusha Linux User Group: http://unix.or.tz
> Linux mailing list
> Linux at lists.habari.co.tz
> http://lists.habari.co.tz/cgi-bin/mailman/listinfo/linux
>
> The Arusha LUG mailing list is generously hosted by Habari Node Ltd: http://www.habari.co.tz/
>
> The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20150603/33edac69/attachment.html>
More information about the Linux
mailing list