Moose Malware Uses Linux Routers For Social Network Fraud

[Snorkasaurus]

From this 15-05-27 article at DarkReading.com

There is no peer-to-peer protocol, [Moose] uses a hardcoded IP address instead of DNS for C&C, and even though the backdoor is listening on the Internet on port 10073 to offer its proxy service, only IP addresses in a whitelist are allowed to connect. Another reason for our lack of success is the lack of security tools ecosystems (like Anti-Virus) on embedded systems. Finally, the hosting providers where the C&C are located were relunctant to cooperate, which didn’t help.

This gives me the impression that the malicious traffic would be coming from a single IP address. Why she would state that and then not provide the IP address I don't know. Based on the description, simply blocking traffic to/from that IP address would defeat the malware.

S.

[viking60]

It looks like it.
This thing is clearly made to get more likes on Facebook and social media - being popular= money these days.

It seems to need Telnet to infect too so it will only infect people with an insecure infrastructure.

[Snorkasaurus]

It looks like it.
This thing is clearly made to get more likes on Facebook and social media - being popular= money these days.

It is really sad that marketing has become this sleazy. Fake Facebook accounts to shill popularity, native advertising to fool consumers in to believing a product is being backed by a trustworthy source, sponsored links that are intentionally hard to distinguish from actual content, service providers who track you so they can shove targeted advertising under your nose, and on and on. It is quite sad that corporations are sinking to new levels of sleaze every day, literally tricking people in to buying crap, and the bulk of the population doesn't know/care.

It seems to need Telnet to infect too so it will only infect people with an insecure infrastructure.

I tried to find any information on whether pfsense might be vulnerable to Moose but didn't see anything. I am currently using an iptables/masq'ing script for a router but have been considering dd-wrt so I can use a low-power embedded device... I am pretty sure that dd-wrt forces you to change the admin password before it will even let you configure your WAN connection. Not sure if pfSense also does that.

S.

[R_Head]

I hate to sound like a Neo Amish but the root cause is social media. I am so happy that I do not participate. The only social thing for me is family and some forums and nobody knows your name.

[dedanna1029]

Question, would just blocking port 10073 be of use in this? If they can't listen, then it would seem to me that it would screw their whole game?

[dedanna1029]

I tried to find any information on whether pfsense might be vulnerable to Moose but didn't see anything. I am currently using an iptables/masq'ing script for a router but have been considering dd-wrt so I can use a low-power embedded device... I am pretty sure that dd-wrt forces you to change the admin password before it will even let you configure your WAN connection. Not sure if pfSense also does that.

*nods.
Lookie here.