[ALUG] And another malware attacking routers: Dissecting Linux/Moose

Andreas Tauscher ta at geuka.net
Wed May 27 17:11:24 EAT 2015


This one is attacking ARM or MIPS based routers with Linux as OS:
Dissecting Linux/Moose
http://www.welivesecurity.com/2015/05/26/dissecting-linuxmoose/

Access to the router is got with a brute force attack testing passwords.

Once they got access to the router the male-ware (a ELF binary) is uploaded.
Several threads are started. Most of them are scanning for other devices
within the network and outside to infect them also.

This maleware is a social network fan. It is creating fake likes, views
and follows at: Fotki (Yandex), Instagram (Facebook), Live (Microsoft),
Soundcloud, Twitter, Vine, Yahoo, Youtube (Google)
But once on the router it can do anything. Traffic redirect, stealing
unencrypted session cookies, passwords, manipulate traffic like for
example injecting other male-ware into http traffic and and and......

A quick check if your router is infected:
Port 10073 is open.
On the router you find a binary named elan2
A process elan2 is running.

At https://github.com/eset/malware-ioc/tree/master/moose you find also a
list of IP addresses. If you detect traffic on port 10073 to this
addresses a device within the net might be infected.

Protection: Disabling any remote access, a strong password and a login
name which is not one of the first tried: root, admin, administrator.

If the router is infected: Hard resetting the router and reinstalling
the firmware. A update might not be enough since the update might
upgrade only singe binaries but not overwriting the entire memory.

Andreas


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20150527/96872d44/attachment.pgp>


More information about the Linux mailing list