Linux/Moose overview |
A new worm, which is capable of spreading past firewalls, is now targeting routers and modems to boost visibility of profiles on various social networking sites including Twitter, Facebook, YouTube, Instagram, Vine and SoundCloud, researchers said.
Olivier Bilodeau and Thomas Dupuy, security researchers at ESET, an IT security company based in Bratislava, Slovakia, said in a technicalpaper, which was issued on 26 May, that new threat, which is called Linux/Moose, targets consumer routers and modems including the hardware provided by Internet Service Providers (ISPs) to consumers.
The researchers said that the new malware is infecting Linux-based routers and other Linux-based devices to commit social networking fraud in order to ‘like’ posts and pages, ‘view’ videos and ‘follow’ other accounts.
“During our analysis we often asked ourselves, “Why so much effort in order to interact with social networks?” Then we realized that there is a market for follows, likes, views and whatnot. It is pretty clear that this is what is going on here,” the researchers wrote in the paper.
“First, there are attempts at stealing cookies from these sites. However, the cookies cannot be stolen if the traffic is HTTPS and now most of these sites are HTTPS-only, so it’s unclear how effective these attacks are in this respect. Second, attempting to commit fraud upon these sites needs a reputable and disposable IP address,” the researchers added.
“If someone tries to register 2000 twitter accounts from his own IP address this will likely draw attention. To a social network site operator, there is probably nothing more reputable than an IP address behind a well-known ISP. Just the type of network where you can expect to find badly configured consumer routers,” said the researchers.
They said that the task of the malware operators is to increase the number of followers, views and likes on social media websites, which the operators target.
According to the researchers, Moose does not exploit any vulnerability to compromise the device and instead accesses them by trying out weak or default login credentials, like other threats targeting routers. Then it starts scanning for other devices to infect, either on the network or on the Internet.
Moreover, it looks for other nefarious process and terminating the devices activity in order to protect those devices.
The technical paper has revealed that the routers are used to drive traffic to certain social network profiles. An infected device would send more than 500 requests in a day.
The researchers have observed one of the Instagram accounts, which maintained the zero-followers numbers but the number of followers increased from three to 40 in one day.
While the researchers were checking the followers, they found out an account with a large number of fans (3,430). Within a week, the number of followers increased to 11,672.
They also observed that devices from Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL and Zhone were affected by Moose.