14 DAY TRIAL // A piece of malware capable of spreading past firewalls is currently targeting weakly configured routers and modems to boost visibility of profiles on various social networks including Twitter, Facebook, YouTube, Instagram, Vine and SoundCloud.
Security researchers at ESET, who ran an in-depth analysis of its features and behavior, dubbed it Moose. They determined that the malware affects any Linux-based embedded device running on MIPS and ARM architectures, which means that other gadgets fitting the specs may be impacted.
Moose preys on weakly protected routers
The purpose of the malware operators appears to be increasing the number of followers, views and likes on social media websites it targets, although its damage potential can extend to man-in-the-middle attacks via DNS hijacking, or distributed denial-of-service (DDoS) operations.
Unlike other threats targeting routers, Moose does not exploit any vulnerability to compromise the device and instead accesses them by trying out weak or default login credentials. Then it starts scanning for other devices to infect, either on the network or on the Internet.
According to the researchers, Moose protects the devices from other malware by searching periodically for other nefarious process and terminating their activity.
ESET’s analysis revealed that the routers are used to drive traffic to certain social network profiles. In one day, a compromised device would send more than 500 requests, on average.
Social network profiles pop up with inflated number of followers
The purpose was to inflate the followership of certain accounts via bogus profiles. One of the accounts observed on Instagram maintained the zero-followers numbers but increased the amount of the accounts it followed from three to almost 40 in about a day.
Upon checking who it was following, the researchers found an account with a surprisingly large number of fans (3,430), considering that it had only seven posts and followed only seven other Instagram users. Within a week, it had 11,672 followers.
Purchasing followers is not an uncommon practice and many services offering increased followership also promise a certain number for a specified period.
During the assessment, it was observed that devices from Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL and Zhone were affected by Moose.
“Considering the rudimentary techniques used by Moose in order to gain access to other devices, it is unfortunate that the security of embedded devices isn’t taken more seriously by vendors,” conclude ESET researchers Olivier Bilodeau and Thomas Dupuy in the detailed technical paper on Moose published on Tuesday.
