The Linux-based Moose worm is infecting routers and other network devices to commit social media fraud, but I heard...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
it is not necessarily exploiting a flaw with routers. How does this malware work, and what can be done to prevent and detect it?
One of computing's most critical infrastructures is the network. Without it, we might as well turn off our computers. Despite using individual computers, we rarely use a computer not connected to some sort of network. Because of our reliance on them, the security and availability of networks is critical to operations. Enterprises understand the importance of networks, but consumers, consumer networking companies and consumer networking divisions of enterprise network companies are still catching up.
The Linux-based Moose worm was documented in detail by security software vendor Eset. It targets consumer network devices to set up a proxy service that perpetuates social media fraud. The Moose worm doesn't exploit any vulnerabilities, but it uses unchanged default passwords and enabled remote management to compromise the device. The attack is performed using DNS hijacking and man-in-the-middle attacks (MitM) to steal cookies. The code starts by scanning for systems listening on port 10073/TCP and then scanning and logging in with the default password. Once it finds a vulnerable system, it uploads the code to the remote system and then executes it to perform the MitM attack and scan for other systems to infect.
Enterprises can detect and prevent the Moose worm, and the resulting social media fraud, by implementing security controls in the network itself. A vulnerability scanner could be used to identify potential at-risk devices on an enterprise network. The enterprise could then disconnect the device from the network until the default password is changed, or it could change the default password. Enterprises could also monitor the network for devices scanning on 10073/TCP.
Enterprises and the IT community should pressure consumer networking companies to adopt secure software development practices to help minimize the chance of social media fraud and future security issues with their devices.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Learn three ways to prevent and mitigate router security issues
Find out how to defend against brute-force router attacks
Check out these tips to secure a wireless router and ensure remote admin security
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Nick Lewis
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from ...continue reading
Typosquatting was used by threat actors to spread malware in the NPM registry. Learn from expert Nick Lewis how this method was used and what it ...continue reading
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.