kreizihorse - Fotolia
Moose worm: How can enterprises stop social media fraud?
A Linux-based Moose worm causes social media fraud through infected routers. Expert Nick Lewis explains how the Moose worm works and how to avoid it.
The Linux-based Moose worm is infecting routers and other network devices to commit social media fraud, but I heard it is not necessarily exploiting a flaw with routers. How does this malware work, and what can be done to prevent and detect it?
One of computing's most critical infrastructures is the network. Without it, we might as well turn off our computers. Despite using individual computers, we rarely use a computer not connected to some sort of network. Because of our reliance on them, the security and availability of networks is critical to operations. Enterprises understand the importance of networks, but consumers, consumer networking companies and consumer networking divisions of enterprise network companies are still catching up.
The Linux-based Moose worm was documented in detail by security software vendor Eset. It targets consumer network devices to set up a proxy service that perpetuates social media fraud. The Moose worm doesn't exploit any vulnerabilities, but it uses unchanged default passwords and enabled remote management to compromise the device. The attack is performed using DNS hijacking and man-in-the-middle attacks (MitM) to steal cookies. The code starts by scanning for systems listening on port 10073/TCP and then scanning and logging in with the default password. Once it finds a vulnerable system, it uploads the code to the remote system and then executes it to perform the MitM attack and scan for other systems to infect.
Enterprises can detect and prevent the Moose worm, and the resulting social media fraud, by implementing security controls in the network itself. A vulnerability scanner could be used to identify potential at-risk devices on an enterprise network. The enterprise could then disconnect the device from the network until the default password is changed, or it could change the default password. Enterprises could also monitor the network for devices scanning on 10073/TCP.
Enterprises and the IT community should pressure consumer networking companies to adopt secure software development practices to help minimize the chance of social media fraud and future security issues with their devices.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)