Q
Problem solve Get help with specific problems with your technologies, process and projects.

Moose worm: How can enterprises stop social media fraud?

A Linux-based Moose worm causes social media fraud through infected routers. Expert Nick Lewis explains how the Moose worm works and how to avoid it.

The Linux-based Moose worm is infecting routers and other network devices to commit social media fraud, but I heard...

it is not necessarily exploiting a flaw with routers. How does this malware work, and what can be done to prevent and detect it?

One of computing's most critical infrastructures is the network. Without it, we might as well turn off our computers. Despite using individual computers, we rarely use a computer not connected to some sort of network. Because of our reliance on them, the security and availability of networks is critical to operations. Enterprises understand the importance of networks, but consumers, consumer networking companies and consumer networking divisions of enterprise network companies are still catching up.

The Linux-based Moose worm was documented in detail by security software vendor Eset. It targets consumer network devices to set up a proxy service that perpetuates social media fraud. The Moose worm doesn't exploit any vulnerabilities, but it uses unchanged default passwords and enabled remote management to compromise the device. The attack is performed using DNS hijacking and man-in-the-middle attacks (MitM) to steal cookies. The code starts by scanning for systems listening on port 10073/TCP and then scanning and logging in with the default password. Once it finds a vulnerable system, it uploads the code to the remote system and then executes it to perform the MitM attack and scan for other systems to infect.

Enterprises can detect and prevent the Moose worm, and the resulting social media fraud, by implementing security controls in the network itself. A vulnerability scanner could be used to identify potential at-risk devices on an enterprise network. The enterprise could then disconnect the device from the network until the default password is changed, or it could change the default password. Enterprises could also monitor the network for devices scanning on 10073/TCP.

Enterprises and the IT community should pressure consumer networking companies to adopt secure software development practices to help minimize the chance of social media fraud and future security issues with their devices.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Learn three ways to prevent and mitigate router security issues

Find out how to defend against brute-force router attacks

Check out these tips to secure a wireless router and ensure remote admin security

This was last published in December 2015

Dig Deeper on Network device security: Appliances, firewalls and switches

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What steps does your organization take to prevent social media fraud like the Moose worm?
Cancel
Again I see it exploiting thing that should not exist. I cannot believe that some people still do not change defaults on their system and/or network. You cannot blame the vendor on this one.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close