[ALUG] And another malware attacking routers: Dissecting Linux/Moose

Hamisi Jabe administrator at banana.co.tz
Wed Jun 3 08:56:08 EAT 2015


You can unsubscribe yourself using the below link

http://lists.habari.co.tz/cgi-bin/mailman/listinfo/linux




On 03/06/2015 08:53 asubuhi, Joseph Joachim via Linux wrote:
> Hello
>  I hope your doing fine. can you kindly unsubscribe from mail list i 
> don't want to receive this emails.
> Thanks
> Joseph
>
> On Wed, May 27, 2015 at 5:11 PM, Andreas Tauscher via Linux 
> <linux at lists.habari.co.tz <mailto:linux at lists.habari.co.tz>> wrote:
>
>     This one is attacking ARM or MIPS based routers with Linux as OS:
>     Dissecting Linux/Moose
>     http://www.welivesecurity.com/2015/05/26/dissecting-linuxmoose/
>
>     Access to the router is got with a brute force attack testing
>     passwords.
>
>     Once they got access to the router the male-ware (a ELF binary) is
>     uploaded.
>     Several threads are started. Most of them are scanning for other
>     devices
>     within the network and outside to infect them also.
>
>     This maleware is a social network fan. It is creating fake likes,
>     views
>     and follows at: Fotki (Yandex), Instagram (Facebook), Live
>     (Microsoft),
>     Soundcloud, Twitter, Vine, Yahoo, Youtube (Google)
>     But once on the router it can do anything. Traffic redirect, stealing
>     unencrypted session cookies, passwords, manipulate traffic like for
>     example injecting other male-ware into http traffic and and and......
>
>     A quick check if your router is infected:
>     Port 10073 is open.
>     On the router you find a binary named elan2
>     A process elan2 is running.
>
>     At https://github.com/eset/malware-ioc/tree/master/moose you find
>     also a
>     list of IP addresses. If you detect traffic on port 10073 to this
>     addresses a device within the net might be infected.
>
>     Protection: Disabling any remote access, a strong password and a login
>     name which is not one of the first tried: root, admin, administrator.
>
>     If the router is infected: Hard resetting the router and reinstalling
>     the firmware. A update might not be enough since the update might
>     upgrade only singe binaries but not overwriting the entire memory.
>
>     Andreas
>
>
>
>     _______________________________________________
>     The Arusha Linux User Group: http://unix.or.tz
>     Linux mailing list
>     Linux at lists.habari.co.tz <mailto:Linux at lists.habari.co.tz>
>     http://lists.habari.co.tz/cgi-bin/mailman/listinfo/linux
>
>     The Arusha LUG mailing list is generously hosted by Habari Node
>     Ltd: http://www.habari.co.tz/
>
>     The above comments and data are owned by whoever posted them
>     (including attachments if any). The mailing list host is not
>     responsible for them in any way.
>
>
>
>
> -- 
> *Mr.Joseph Joachim Joseph*
> *Title:*ICT-support
> Organization:RTI-International
> Seconded:Ministry of Health and Social Welfare
> Proffessional:Bsc in Computer Science
> Contacts:+255788442657  , Skype:joseph.joseph.j
>
> 	
> 	
>
>
>
> _______________________________________________
> The Arusha Linux User Group: http://unix.or.tz
> Linux mailing list
> Linux at lists.habari.co.tz
> http://lists.habari.co.tz/cgi-bin/mailman/listinfo/linux
>
> The Arusha LUG mailing list is generously hosted by Habari Node Ltd: http://www.habari.co.tz/
>
> The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20150603/33edac69/attachment.html>


More information about the Linux mailing list