Linux/Moose Worm Targets Routers, Modems, and Embedded Systems

← Back to Stories (view on slashdot.org)

Linux/Moose Worm Targets Routers, Modems, and Embedded Systems

Posted by Soulskill on Tuesday May 26, 2015 @06:54AM from the moose-is-the-penguin's-natural-enemy dept.

An anonymous reader writes: Security firm ESET has published a report on new malware that targets Linux-based communication devices (modems, routers, and other internet-connected systems) to create a giant proxy network for manipulating social media. It's also capable of hijacking DNS settings. The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+. Affected router manufacturers include: Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, and Zhone. The researchers found that even some medical devices were vulnerable to the worm, though it wasn't designed specifically to work with them.

17 of 110 comments (clear)

Min score:

Reason:

Sort:

Finally, a use for facebook. by BarbaraHudson · 2015-05-26 06:57 · Score: 5, Funny

The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+.
I like it :-)

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
1. Re:Finally, a use for facebook. by aynoknman · 2015-05-26 11:27 · Score: 2
  
  The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+.
  I like it :-)
  I don't quite follow you
  
  --
  We need a "+1 -- nice sig" moderation.
No worries mate by Anonymous Coward · 2015-05-26 06:58 · Score: 5, Informative

The Moose worm does not rely upon any underlying vulnerability in the routers – it is simply taking advantage of devices that have been weakly configured with poorly chosen login credentials.
1. Re:No worries mate by cusco · 2015-05-26 08:05 · Score: 4, Informative
  
  The simple fact that you can leave the device with a default password encompasses several levels of stupidity. 1) Programmers who do not require password to be changed, 2) Manufacturers who will install that firmware, 3) Customers who leave it that way. Level 3 shouldn't even be possible except for stupidity and laziness in Level 1 and 2.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
2. Re:No worries mate by fuzzyfuzzyfungus · 2015-05-26 08:16 · Score: 3, Interesting
  
  It's news not because of OS(I don't know if they bothered; but exploits at the 'just use the default password against the external telnet interface' level would work against basically any OS, and the only real obstacle to executing a payload with the functions described would be that some of the really nasty VXworks-based devices are so RAM-starved that they can barely do their job, much less run malware at the same time); but because the security of nearly all 'consumer', and a disturbing number of more expensive, embedded devices is still utter shit.
  
  It is bad enough that such plastic-box devices typically are shipping software well behind the curve(2.6X kernels, http servers with vulnerabilities that were closed upstream months before the device in question was released, that sort of thing); but 'default configuration leaves telnet listening on the WAN port, with weak credentials for root login' goes well beyond 'bug' and right into 'We Just Don't Care' territory. Even better, the same damn story has been true for at least the past decade, probably longer(though its importance has increased as the cost has fallen and number of little embedded boxes lurking around has skyrocketed).
  
  At least on the desktop and server, some of the worst insecure-by-default atrocities have been ironed out, so attackers are now moderately likely to need to use vaguely clever vulnerabilities(even if they can often get away with ones that were patched months ago) or social engineering; but embedded crap hasn't even reached that level of security.
  
  The fact that telnet is even there(outside of 'recovery' scenarios, where the emergency nature of the situation and availability of only the most limited resources make super-simple protocols like telnet and TFTP valuable) when OpenSSH has been available for the last 15 years, and less liberally licensed versions a bit longer, is disgusting in itself. Having it on the WAN, much less by default, is just depraved.
3. Re:No worries mate by keneng · 2015-05-26 10:07 · Score: 2
  
  GENERAL RULE OF THUMB: NEVER ALLOW REMOTE ACCESS TO THE ROUTERS.
  ONLY PHYSICAL ACCESS DIRECTLY IS THE BETTER APPROACH. In Canada, when you use a vdsl2 modem, it usually needs to be a BELL provided modem. The default password is something BELL provides to you to connect to their network. The wifi access/router access password can be changed yes.
  Where problems arise that I have noticed recently are local wifi-hackers ddos'ing not only BELL vdsl2 modem wifi access points, but also if you have a bridged modem after that providing other wifi access points, then those wifi-hackers will ddos those also. I goes without saying, there is more than ddos'ing happening here. I wasn't really curious enough to sniff the actual traffic, but once I turned off both the bell wifi access point and the bridged modem's wifi access point, problems went away and the bandwidth and expected responsive connection behaviour was back to normal. If you really need wifi, turn it on for the limited time that you need it rather than all the time. That will minimize the attack surface.
  Sure there are parameters for defending against ddos, separate vlans per user, etc, BUT firewalls on each computer on the lan is what really matters the most.
  ADOBE FLASH is the biggest virus injector of them all. I'm happy Youtube doesn't use it anymore. I hope the other web sites get rid of ADOBE FLASH also.
  There is no reason not to use open-source streaming servers like flumotion and encoders like ffmpeg/theora. daala video is coming soon I hope.
So basically . . . by Anonymous Coward · 2015-05-26 07:03 · Score: 4, Funny

. . . turn on remote administration and leave the default username/password and you get m00sed? Cool.
A Møøse once bit my sister... No realli! She was Karving her initials on the møøse with the sharpened end of an interspace tøøthbrush given her by Svenge - her brother-in-law - an Oslo dentist and star of many Norwegian møvies: "The Høt Hands of an Oslo Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"...
1. Re:So basically . . . by mark_reh · 2015-05-26 07:29 · Score: 2
  
  As a dentist I find your post quite amusing...
Requires... by Anonymous Coward · 2015-05-26 07:04 · Score: 2, Interesting

Remote management login+password. Telnet connection.
Neither of which is enabled on our TP-Link router.
1. Re:Requires... by bobbied · 2015-05-26 07:15 · Score: 4, Interesting
  
  Remote management login+password. Telnet connection.
  Neither of which is enabled on our TP-Link router.
  As far as you know.... Unfortunately there are some (dare we say MOST) people out there which don't know enough to turn off such nonsense, not to mention ISP's (like Verizon) who actually open ports unbeknownst to the end user so they can remotely manage your router when you call them with a technical support issue...
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
2. Re:Requires... by Em+Adespoton · 2015-05-26 08:04 · Score: 2
  
  I was surprised that after setting a secure admin password the cable company could just bypass it once it was back on there network.
  That's because you've changed the admin password only. Above the admin password is a support password that has more privileges, and then the root password that rules them all. Your ISP holds these other two accounts that aren't visible from the Admin settings.
3. Re:Requires... by fuzzyfuzzyfungus · 2015-05-26 08:39 · Score: 2
  
  Cable modems are a bit of a special case, and not in a good way. By design, they do what is called "DOCSIS Provisioning". As you might imagine, given that the 'Data over Cable Service Interface Specification' is produced by CableLabs, an industry R&D and standards organization operated by cable companies; the process is designed for the convenience of the service provider, not for the user.
  
  Most cable modems do have some sort of web interface, config settings to fiddle with, etc.; but when you connect one to a cable network, after performing the low-level analog black magic required to get a working digital channel up, the modem makes a DHCP request, which the operator CMTS responds to with an IP and a TFTP server address from which the modem downloads a configuration file. The modem then applies that config file, ignoring any manual configuration made, and operates accordingly.
  
  If you fancy a look at the gory details, Here are some links; and there is a software package for playing with being the party doing the provisioning. Punchline is, though, that a successful cable modem connection more or less implies that the cable modem will be operating according to the provider's configuration for the duration of the connection. Depending on whether or not your ISP is a dick about it, you may or may not lose access to http status pages, SNMP, and any other features the modem possesses; but that's all their call. A disconnected cable modem isn't much use; but it will generally show you whatever its firmware has to offer.
Not news... Use better passwords. by NotARealUser · 2015-05-26 07:06 · Score: 5, Interesting

This is not a story, and not really a Linux problem. The worm relies on weak passwords to execute code. This is about as newsworthy as telling me that car thieves found a way to exploit Fords that have the keys left in them.
1. Re:Not news... Use better passwords. by gstoddart · 2015-05-26 07:07 · Score: 4, Insightful
  
  Oh, I don't know ... the steaming shitpile which is the state of security on consumer electronics bears repeating.
  Because apparently it isn't going to go away any time soon.
  
  --
  Lost at C:>. Found at C.
2. Re:Not news... Use better passwords. by countSudoku() · 2015-05-26 07:42 · Score: 3, Funny
  
  Okay, here you go:
  I routinely "break into" fellow admin's Windows systems when they leave without locking their screen! Fucking Windows!
  
  --
  This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
3. Re:Not news... Use better passwords. by cusco · 2015-05-26 09:36 · Score: 2
  
  Something tells me that you're too dumb to know how to create a user account, AC. There are plenty of devices that require you to change the password the first time you log into them, there is absolutely no reason NOT to do that except for laziness.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Time for 2FA for the local router? by mlts · 2015-05-26 07:39 · Score: 2

I wish more routers came either with a local method of configuration (an onboard touchscreen display like a lot of LTE Wi-Fi routers, USBSerial, or perhaps just a good old fashioned serial port, with a USB dongle and cable.) From there, one could configure some form of 2FA, which does mitigate the aspect of a compromised PC or network.