Linux/Moose Worm Targets Routers, Modems, and Embedded Systems

← Back to Stories (view on slashdot.org)

Linux/Moose Worm Targets Routers, Modems, and Embedded Systems

Posted by Soulskill on Tuesday May 26, 2015 @06:54AM from the moose-is-the-penguin's-natural-enemy dept.

An anonymous reader writes: Security firm ESET has published a report on new malware that targets Linux-based communication devices (modems, routers, and other internet-connected systems) to create a giant proxy network for manipulating social media. It's also capable of hijacking DNS settings. The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+. Affected router manufacturers include: Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, and Zhone. The researchers found that even some medical devices were vulnerable to the worm, though it wasn't designed specifically to work with them.

56 of 110 comments (clear)

Min score:

Reason:

Sort:

Finally, a use for facebook. by BarbaraHudson · 2015-05-26 06:57 · Score: 5, Funny

The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+.
I like it :-)

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
1. Re:Finally, a use for facebook. by BarbaraHudson · 2015-05-26 10:06 · Score: 1
  
  That makes one more use for it than we can find for you.
  That's great because I really don't want to be "used" by you. :-)
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
2. Re:Finally, a use for facebook. by aynoknman · 2015-05-26 11:27 · Score: 2
  
  The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+.
  I like it :-)
  I don't quite follow you
  
  --
  We need a "+1 -- nice sig" moderation.
No worries mate by Anonymous Coward · 2015-05-26 06:58 · Score: 5, Informative

The Moose worm does not rely upon any underlying vulnerability in the routers – it is simply taking advantage of devices that have been weakly configured with poorly chosen login credentials.
1. Re:No worries mate by chipschap · 2015-05-26 07:43 · Score: 1, Troll
  
  Which raises the question, why is this even news? Is it more Linux/open-source bashing by the commercial OS crowd? It doesn't even make sense. Turn on remote admin and leave a default password in place, and it's the fault of Linux when you get hacked?
2. Re:No worries mate by cusco · 2015-05-26 08:05 · Score: 4, Informative
  
  The simple fact that you can leave the device with a default password encompasses several levels of stupidity. 1) Programmers who do not require password to be changed, 2) Manufacturers who will install that firmware, 3) Customers who leave it that way. Level 3 shouldn't even be possible except for stupidity and laziness in Level 1 and 2.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
3. Re:No worries mate by fuzzyfuzzyfungus · 2015-05-26 08:16 · Score: 3, Interesting
  
  It's news not because of OS(I don't know if they bothered; but exploits at the 'just use the default password against the external telnet interface' level would work against basically any OS, and the only real obstacle to executing a payload with the functions described would be that some of the really nasty VXworks-based devices are so RAM-starved that they can barely do their job, much less run malware at the same time); but because the security of nearly all 'consumer', and a disturbing number of more expensive, embedded devices is still utter shit.
  
  It is bad enough that such plastic-box devices typically are shipping software well behind the curve(2.6X kernels, http servers with vulnerabilities that were closed upstream months before the device in question was released, that sort of thing); but 'default configuration leaves telnet listening on the WAN port, with weak credentials for root login' goes well beyond 'bug' and right into 'We Just Don't Care' territory. Even better, the same damn story has been true for at least the past decade, probably longer(though its importance has increased as the cost has fallen and number of little embedded boxes lurking around has skyrocketed).
  
  At least on the desktop and server, some of the worst insecure-by-default atrocities have been ironed out, so attackers are now moderately likely to need to use vaguely clever vulnerabilities(even if they can often get away with ones that were patched months ago) or social engineering; but embedded crap hasn't even reached that level of security.
  
  The fact that telnet is even there(outside of 'recovery' scenarios, where the emergency nature of the situation and availability of only the most limited resources make super-simple protocols like telnet and TFTP valuable) when OpenSSH has been available for the last 15 years, and less liberally licensed versions a bit longer, is disgusting in itself. Having it on the WAN, much less by default, is just depraved.
4. Re:No worries mate by keneng · 2015-05-26 10:07 · Score: 2
  
  GENERAL RULE OF THUMB: NEVER ALLOW REMOTE ACCESS TO THE ROUTERS.
  ONLY PHYSICAL ACCESS DIRECTLY IS THE BETTER APPROACH. In Canada, when you use a vdsl2 modem, it usually needs to be a BELL provided modem. The default password is something BELL provides to you to connect to their network. The wifi access/router access password can be changed yes.
  Where problems arise that I have noticed recently are local wifi-hackers ddos'ing not only BELL vdsl2 modem wifi access points, but also if you have a bridged modem after that providing other wifi access points, then those wifi-hackers will ddos those also. I goes without saying, there is more than ddos'ing happening here. I wasn't really curious enough to sniff the actual traffic, but once I turned off both the bell wifi access point and the bridged modem's wifi access point, problems went away and the bandwidth and expected responsive connection behaviour was back to normal. If you really need wifi, turn it on for the limited time that you need it rather than all the time. That will minimize the attack surface.
  Sure there are parameters for defending against ddos, separate vlans per user, etc, BUT firewalls on each computer on the lan is what really matters the most.
  ADOBE FLASH is the biggest virus injector of them all. I'm happy Youtube doesn't use it anymore. I hope the other web sites get rid of ADOBE FLASH also.
  There is no reason not to use open-source streaming servers like flumotion and encoders like ffmpeg/theora. daala video is coming soon I hope.
5. Re: No worries mate by Anonymous Coward · 2015-05-26 10:19 · Score: 1
  
  Or programmers who leave hard coded, unremovable credentials in embedded systems?
6. Re:No worries mate by Grishnakh · 2015-05-26 10:53 · Score: 1
  
  1) Programmers who do not require password to be changed,
  Hey, don't blame the programmers. Most likely, someone did suggest requiring the password to be changed, and management said no for some dumb reason.
So basically . . . by Anonymous Coward · 2015-05-26 07:03 · Score: 4, Funny

. . . turn on remote administration and leave the default username/password and you get m00sed? Cool.
A Møøse once bit my sister... No realli! She was Karving her initials on the møøse with the sharpened end of an interspace tøøthbrush given her by Svenge - her brother-in-law - an Oslo dentist and star of many Norwegian møvies: "The Høt Hands of an Oslo Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"...
1. Re:So basically . . . by mark_reh · 2015-05-26 07:29 · Score: 2
  
  As a dentist I find your post quite amusing...
2. Re:So basically . . . by unrtst · 2015-05-26 09:23 · Score: 1
  
  As a dentist, you don't spend much time at the movies or watching TV.
  YMMV, but my dentist has netflix on a big screen in a comfortable place to watch while someone picks around inside your mouth.
3. Re:So basically . . . by mark_reh · 2015-05-27 12:43 · Score: 1
  
  No, I don't have much time for either. I'm too busy saving the world, one tooth at a time.
  Was that Monty Python?
Requires... by Anonymous Coward · 2015-05-26 07:04 · Score: 2, Interesting

Remote management login+password. Telnet connection.
Neither of which is enabled on our TP-Link router.
1. Re:Requires... by bobbied · 2015-05-26 07:15 · Score: 4, Interesting
  
  Remote management login+password. Telnet connection.
  Neither of which is enabled on our TP-Link router.
  As far as you know.... Unfortunately there are some (dare we say MOST) people out there which don't know enough to turn off such nonsense, not to mention ISP's (like Verizon) who actually open ports unbeknownst to the end user so they can remotely manage your router when you call them with a technical support issue...
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
2. Re:Requires... by Anonymous Coward · 2015-05-26 07:40 · Score: 1
  
  Hint: unplug it from the cable/dsl network.
  Mine is a black box until I unplug it from the network. It then comes up with a 192.168 address and I can hit it with a web browser. The logs provided all the info I need and I had access to reset the admin password as well as re-flash the device.
  I was surprised that after setting a secure admin password the cable company could just bypass it once it was back on there network.
  BTW: I bought and paid for the cable modem. It belongs to me and as such I should have full rights to the unit.
3. Re:Requires... by Anonymous Coward · 2015-05-26 07:56 · Score: 1
  
  >BTW: I bought and paid for the cable modem. It belongs to me and as such I should have full rights to the unit.
  
  Only until you connect it to someone else's network.
4. Re:Requires... by Em+Adespoton · 2015-05-26 08:04 · Score: 2
  
  I was surprised that after setting a secure admin password the cable company could just bypass it once it was back on there network.
  That's because you've changed the admin password only. Above the admin password is a support password that has more privileges, and then the root password that rules them all. Your ISP holds these other two accounts that aren't visible from the Admin settings.
5. Re:Requires... by Anonymous Coward · 2015-05-26 08:22 · Score: 1
  
  My Motorola Surfboard works similar.
  After booting up it will try to download and verify the signature on its config file from the ISP. If it works, it bridges ISP traffic and DHCP packet(s) go to and are answered by them.
  If it can't get link on the docsis side, or can't download that config, or can't verify the signature on it, then it puts 192.168.100.1 on its LAN interface and runs a DHCP and web server.
  One nice trick to use:
  Boot the modem disconnected from the cable then connect a PCish device. On the PC note the gateway IP (the IP of the modem) and get the modems MAC
  (ping the modem IP and use the command: arp -a )
  Then when set back up with a router, set a static route to the cable modems 192.168 IP block on the WAN interface.
  You should be able to go to it from your PCs web browser through your routers NAT.
  Status, logs, and rebooting from the other floor!
6. Re:Requires... by fuzzyfuzzyfungus · 2015-05-26 08:24 · Score: 1
  
  It doesn't help that more than a few router firmwares, whether out of malice or incompetence, simply ignore configuration changes made through their configuration interface. The checkbox may even be there, and may even stay checked or unchecked correctly across reboots; but the actual status of the device just doesn't change.
  
  I had to retire a POS Netgear unit(WNDR3400, in case anyone cares); because it simply ignored the 'Enable Wireless Protected Setup' option. I chose 'hell no'; because WPS is known faulty; it merrily continued offering WPS. Various other models, from more or less all the major home brands, have had instances of this with assorted potentially dangerous features(remote admin ports, uPNP, WPS, default credentials that can't be changed, etc.). Sometimes there simply isn't anything in the UI for controlling a given feature, sometimes the settings are ignored.
  
  Unless the device is supported by a good 3rd party firmware, or you exploit the vulnerability to go in yourself and do some surgery, even 'doing the right thing' can sometimes be purely ceremonial.
7. Re:Requires... by eedwardsjr · 2015-05-26 08:26 · Score: 1
  
  Try browsing to 192.168.100.1
8. Re:Requires... by fuzzyfuzzyfungus · 2015-05-26 08:39 · Score: 2
  
  Cable modems are a bit of a special case, and not in a good way. By design, they do what is called "DOCSIS Provisioning". As you might imagine, given that the 'Data over Cable Service Interface Specification' is produced by CableLabs, an industry R&D and standards organization operated by cable companies; the process is designed for the convenience of the service provider, not for the user.
  
  Most cable modems do have some sort of web interface, config settings to fiddle with, etc.; but when you connect one to a cable network, after performing the low-level analog black magic required to get a working digital channel up, the modem makes a DHCP request, which the operator CMTS responds to with an IP and a TFTP server address from which the modem downloads a configuration file. The modem then applies that config file, ignoring any manual configuration made, and operates accordingly.
  
  If you fancy a look at the gory details, Here are some links; and there is a software package for playing with being the party doing the provisioning. Punchline is, though, that a successful cable modem connection more or less implies that the cable modem will be operating according to the provider's configuration for the duration of the connection. Depending on whether or not your ISP is a dick about it, you may or may not lose access to http status pages, SNMP, and any other features the modem possesses; but that's all their call. A disconnected cable modem isn't much use; but it will generally show you whatever its firmware has to offer.
9. Re:Requires... by bobbied · 2015-05-26 09:42 · Score: 1
  
  I believe that your router IS supported by OpenWRT depending on the hardware version you have. I highly recommend OpenWRT. It's a bit more difficult to set up than most commercial offerings, but it's flexible and safe.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
10. Re:Requires... by fuzzyfuzzyfungus · 2015-05-26 09:58 · Score: 1
  
  I'll have to check again. It wasn't when I pulled it; but that may have changed, and it is still in my reserve drawer.
11. Re:Requires... by Em+Adespoton · 2015-05-26 11:28 · Score: 1
  
  Don't forget the ex-employees too... including the ones that were fired with cause.
Not news... Use better passwords. by NotARealUser · 2015-05-26 07:06 · Score: 5, Interesting

This is not a story, and not really a Linux problem. The worm relies on weak passwords to execute code. This is about as newsworthy as telling me that car thieves found a way to exploit Fords that have the keys left in them.
1. Re:Not news... Use better passwords. by gstoddart · 2015-05-26 07:07 · Score: 4, Insightful
  
  Oh, I don't know ... the steaming shitpile which is the state of security on consumer electronics bears repeating.
  Because apparently it isn't going to go away any time soon.
  
  --
  Lost at C:>. Found at C.
2. Re:Not news... Use better passwords. by Anonymous Coward · 2015-05-26 07:31 · Score: 1
  
  Hopefully as people become more aware of such basic weaknesses, vendors will be under pressure to stop shipping devices with default credentials built-in, naively expecting grandma's and grandpa's to actually change them.
3. Re:Not news... Use better passwords. by countSudoku() · 2015-05-26 07:42 · Score: 3, Funny
  
  Okay, here you go:
  I routinely "break into" fellow admin's Windows systems when they leave without locking their screen! Fucking Windows!
  
  --
  This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
4. Re:Not news... Use better passwords. by cusco · 2015-05-26 08:10 · Score: 1
  
  It's not a Linux problem as such, but it is an OS programmer problem because they **allow** default passwords to survive first use without requiring that they be changed.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
5. Re:Not news... Use better passwords. by nickweller · 2015-05-26 08:26 · Score: 1
  
  @NotARealUser: "This is not a story, and not really a Linux problem. The worm relies on weak passwords to execute code. This is about as newsworthy as telling me that car thieves found a way to exploit Fords that have the keys left in them."
  
  NO, NO, NO, if it was FORD then it would be referred to as ' cars ' with keys in them get hacked :)
  
  Especially if FORD were spending a lot of advertising money with the parent publisher :)
6. Re:Not news... Use better passwords. by clovis · 2015-05-26 08:27 · Score: 1
  
  This is not a story, and not really a Linux problem. The worm relies on weak passwords to execute code. This is about as newsworthy as telling me that car thieves found a way to exploit Fords that have the keys left in them.
  This is more like "dealerships hide a spare key under every car, but they don't tell the owner".
7. Re:Not news... Use better passwords. by fuzzyfuzzyfungus · 2015-05-26 08:43 · Score: 1
  
  The fact that there are telnet services listening on WAN ports 15 years after OpenSSH became available makes me suspect that nothing short of a vigorous scourging with nuclear fire could solve the utterly lax approach to even rudimentary security in consumer electronics.
  
  Well, that and DRM. Tell 'em that the pirates will steal their precious 'premium content' and suddenly they get real interested in security, albeit more in the 'building prisons' than 'building fortresses' sense of the word.
8. Re:Not news... Use better passwords. by cusco · 2015-05-26 09:36 · Score: 2
  
  Something tells me that you're too dumb to know how to create a user account, AC. There are plenty of devices that require you to change the password the first time you log into them, there is absolutely no reason NOT to do that except for laziness.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
9. Re:Not news... Use better passwords. by SgtAaron · 2015-05-26 11:29 · Score: 1
  
  Hopefully as people become more aware of such basic weaknesses, vendors will be under pressure to stop shipping devices with default credentials built-in, naively expecting grandma's and grandpa's to actually change them.
  That's a big hope :-) When we install new wireless internet service in the various remote locations our customers live in, they purchase a wi-fi router from us and we configure the damn things ourselves. Unless they already have a router, of course, then we check it out and make sure it's locked down. It's the only way to be sure.
10. Re:Not news... Use better passwords. by dave420 · 2015-05-26 22:24 · Score: 1
  
  Yes, but that has nothing to do with the OS, as your post seemed to imply. That is what the AC was talking about - your peculiar choice of terms.
Re:Very funny! by BarbaraHudson · 2015-05-26 07:18 · Score: 1

I haven't seen predestination yet, but if it's anything like the short story it was based on, I will definitely like it. It's a real mind-bender.(hum "I'm my own grandpa ...")
Nobody likes this hijacking crap, but it is what it is ... if there's money in it, the cockroaches will be there.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Time for 2FA for the local router? by mlts · 2015-05-26 07:39 · Score: 2

I wish more routers came either with a local method of configuration (an onboard touchscreen display like a lot of LTE Wi-Fi routers, USBSerial, or perhaps just a good old fashioned serial port, with a USB dongle and cable.) From there, one could configure some form of 2FA, which does mitigate the aspect of a compromised PC or network.
1. Re:Time for 2FA for the local router? by fuzzyfuzzyfungus · 2015-05-26 08:54 · Score: 1
  
  Two-factor auth is so far ahead of the current situation that the risk of 'what if they try to configure the router from a compromised PC?' probably isn't on the radar.
  
  What I would love to see, though, would be a router that uses some USB or NFC security fob for idiot-proof and robust VPN setups: just imagine: plug the fob into the router, or set it on the NFC pad, press the 'bless' button; and the router would perform the appropriate cryptographic handshaking with the fob, and provide the configuration information for setting up the VPN(url, VPN type, etc.).
  
  Then you bring the fob over to a computer or mobile device, hit 'make it so', and the VPN client reads out the config data, makes the appropriate configuration changes, and the fob authenticates the connection. Quick, trivially easy, much more secure than a password or even a certificate file on a USB drive; and you are neatly tunneled back to your home network regardless of the hostile and untrusted networks you may encounter during the day.
  
  Should you lose the fob; hit the 'unbless all' button and all fobs need to be re-blessed before they can be used(obviously, web or other interfaces to the router could allow more granular and advanced control; but having to re-bless a few fobs is likely to be easier than having to understand a more complex interface for many unsophisticated users, who probably only have a small number of active fobs anyway).
2. Re:Time for 2FA for the local router? by mlts · 2015-05-26 09:09 · Score: 1
  
  The blessed fob idea could be used for a lot more than that, assuming BT or NFC connections (for short range items.) Not just for the network connections, but for things like recovering a lost password on a machine.
  As you said, the concept of a physical key is a lot more common, and intuitive to a lot of people, so that might be a way of doing security on a home user basis.
  No, this isn't perfect... but it would help immensely with security and close a lot of remote attack holes.
  Excellent idea.
3. Re:Time for 2FA for the local router? by fuzzyfuzzyfungus · 2015-05-26 10:18 · Score: 1
  
  I think that you could bodge together a proof of concept with basically any router and either a smartcard reader that supports CAC-style behavior, or any of the fobs that can do keypair auth(I know yubikeys can, I haven't done much poking around); but the one snag is that, to my knowledge, there's nothing (at least nothing remotely standard) that does both robust crypto token and just enough writeable storage for the little bit of configuration data that would allow a user without much technical aptitude to autoconfigure a VPN, or trust of a given certificate, or any other use case that requires both the transmission of a small amount of data and robust authentication.
  
  For myself, I'm interested just because hardware crypto tokens are so strong compared to passwords of any remotely tractable-to-humans complexity, and less vulnerable to untrustworthy clients than doing keypair auth with a private key that lives on a relatively vulnerable computer, rather than never leaving dedicated hardware; but for it to be something useful outside geeks and IT-managed environments, the extra bit of configuration data capability seems like it would be necessary.
  
  Maybe if I were feeling entrepreneurial...
4. Re:Time for 2FA for the local router? by Aristos+Mazer · 2015-05-26 15:44 · Score: 1
  
  Excellent idea. Needs to be tweaked somehow to support phones\tablets that don't have (standard) USB ports. But the idea is good.
Moose and... by Anonymous Coward · 2015-05-26 07:58 · Score: 1

Will the counter to this be SQUIRREL?
New malware that targets week passwords? by nickweller · 2015-05-26 08:20 · Score: 1

'the Moose worm [takes advantage of] weakly configured with poorly chosen login credentials.'

Jeeezus J. Jehovah, is this what slashdot has been reduced to reporting as technical information, a so called WORM can login to devices with weak or default passwords?
Attn. Router Owners by Guy+From+V · 2015-05-26 08:25 · Score: 1

Just start using any of the open source firmwares that are constantly tweaked and updated (almost to a fault) like Tomato and DDWRT. They are very flexible and have different flavors to fit your needs and nothing you don't want so as to lessen the target size and entryway vector number and are fully auditable. I recommend the Toastman tomatousb vintage with VPN and 5ghz.
Do know what the saddest part is? by CaptainLugnuts · 2015-05-26 09:27 · Score: 1

Thar worm code is better documented then anything I've ever worked on.
Not only Linux by DrYak · 2015-05-26 11:10 · Score: 1

Which raises the question, why is this even news? Is it more Linux/open-source bashing by the commercial OS crowd?
In fact not all of them even run Linux. AFAIK, Zyxel use their own proprietary OS, call ZyNOS (Zyxel Network Operating System).
The fact that their are listed here shows that the worm doesn't rely on a Linux vulnerability.
If Windows Embed had made any significant inroads as a router OS (haha...) it would probably also be among the vulnerable targets.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
1. Re:Not only Linux by Anonymous Coward · 2015-05-26 12:28 · Score: 1
  
  Many Zyxel consumer routers seem to use Linux.
Re:LOL, yea, that song... apk by fisted · 2015-05-26 12:50 · Score: 1

Has anyone seen a ton of <b> tags? I think he lost his stash.

--
CLI paste? paste.pr0.tips!
Re:LOL, yea, that song... apk by weilawei · 2015-05-26 14:43 · Score: 1

Lay off dude. He's having a reasonable discussion.
Re:LOL, yea, that song... apk by fisted · 2015-05-26 21:00 · Score: 1

Hahahahahahah. See sibling and what follows.

--
CLI paste? paste.pr0.tips!
Re:LOL, yea, that song... apk by fisted · 2015-05-26 21:06 · Score: 1

I think you forgot to sign that post with your usual signature, my challenged friend.

--
CLI paste? paste.pr0.tips!
Re:Has anyone seen... apk by fisted · 2015-05-26 21:08 · Score: 1

This makes me want to cuddle you

--
CLI paste? paste.pr0.tips!
Re:Last laugh's mine, fisted... apk by fisted · 2015-05-26 21:39 · Score: 1

It's more because I don't feel like wasting excessive time on dealing with trolls, my dear challenged friend. Go play with your windows. Sheesh.

--
CLI paste? paste.pr0.tips!
Re:"Run, Forrest: RUN!!!" by fisted · 2015-05-26 22:12 · Score: 1

you make ME look GOOD
Glad I could help, you seem to desperately need it.

--
CLI paste? paste.pr0.tips!