Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Social Networks Worms Networking Security Linux

Linux/Moose Worm Targets Routers, Modems, and Embedded Systems 110

An anonymous reader writes: Security firm ESET has published a report on new malware that targets Linux-based communication devices (modems, routers, and other internet-connected systems) to create a giant proxy network for manipulating social media. It's also capable of hijacking DNS settings. The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+. Affected router manufacturers include: Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, and Zhone. The researchers found that even some medical devices were vulnerable to the worm, though it wasn't designed specifically to work with them.
This discussion has been archived. No new comments can be posted.

Linux/Moose Worm Targets Routers, Modems, and Embedded Systems

Comments Filter:
  • The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+.

    I like it :-)

    • The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+.

      I like it :-)

      I don't quite follow you

  • No worries mate (Score:5, Informative)

    by Anonymous Coward on Tuesday May 26, 2015 @01:58PM (#49776723)
    The Moose worm does not rely upon any underlying vulnerability in the routers – it is simply taking advantage of devices that have been weakly configured with poorly chosen login credentials.
    • Re: (Score:2, Troll)

      by chipschap ( 1444407 )

      Which raises the question, why is this even news? Is it more Linux/open-source bashing by the commercial OS crowd? It doesn't even make sense. Turn on remote admin and leave a default password in place, and it's the fault of Linux when you get hacked?

      • Re:No worries mate (Score:5, Informative)

        by cusco ( 717999 ) <[brian.bixby] [at] [gmail.com]> on Tuesday May 26, 2015 @03:05PM (#49777219)

        The simple fact that you can leave the device with a default password encompasses several levels of stupidity. 1) Programmers who do not require password to be changed, 2) Manufacturers who will install that firmware, 3) Customers who leave it that way. Level 3 shouldn't even be possible except for stupidity and laziness in Level 1 and 2.

        • by Anonymous Coward

          Or programmers who leave hard coded, unremovable credentials in embedded systems?

        • 1) Programmers who do not require password to be changed,

          Hey, don't blame the programmers. Most likely, someone did suggest requiring the password to be changed, and management said no for some dumb reason.

      • Re:No worries mate (Score:4, Interesting)

        by fuzzyfuzzyfungus ( 1223518 ) on Tuesday May 26, 2015 @03:16PM (#49777275) Journal
        It's news not because of OS(I don't know if they bothered; but exploits at the 'just use the default password against the external telnet interface' level would work against basically any OS, and the only real obstacle to executing a payload with the functions described would be that some of the really nasty VXworks-based devices are so RAM-starved that they can barely do their job, much less run malware at the same time); but because the security of nearly all 'consumer', and a disturbing number of more expensive, embedded devices is still utter shit.

        It is bad enough that such plastic-box devices typically are shipping software well behind the curve(2.6X kernels, http servers with vulnerabilities that were closed upstream months before the device in question was released, that sort of thing); but 'default configuration leaves telnet listening on the WAN port, with weak credentials for root login' goes well beyond 'bug' and right into 'We Just Don't Care' territory. Even better, the same damn story has been true for at least the past decade, probably longer(though its importance has increased as the cost has fallen and number of little embedded boxes lurking around has skyrocketed).

        At least on the desktop and server, some of the worst insecure-by-default atrocities have been ironed out, so attackers are now moderately likely to need to use vaguely clever vulnerabilities(even if they can often get away with ones that were patched months ago) or social engineering; but embedded crap hasn't even reached that level of security.

        The fact that telnet is even there(outside of 'recovery' scenarios, where the emergency nature of the situation and availability of only the most limited resources make super-simple protocols like telnet and TFTP valuable) when OpenSSH has been available for the last 15 years, and less liberally licensed versions a bit longer, is disgusting in itself. Having it on the WAN, much less by default, is just depraved.
      • Comment removed based on user account deletion
      • Which raises the question, why is this even news? Is it more Linux/open-source bashing by the commercial OS crowd?

        In fact not all of them even run Linux. AFAIK, Zyxel use their own proprietary OS, call ZyNOS (Zyxel Network Operating System).
        The fact that their are listed here shows that the worm doesn't rely on a Linux vulnerability.

        If Windows Embed had made any significant inroads as a router OS (haha...) it would probably also be among the vulnerable targets.

        • by Anonymous Coward

          Many Zyxel consumer routers seem to use Linux.

  • by Anonymous Coward on Tuesday May 26, 2015 @02:03PM (#49776765)

    . . . turn on remote administration and leave the default username/password and you get m00sed? Cool.

    A Møøse once bit my sister... No realli! She was Karving her initials on the møøse with the sharpened end of an interspace tøøthbrush given her by Svenge - her brother-in-law - an Oslo dentist and star of many Norwegian møvies: "The Høt Hands of an Oslo Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"...

    • As a dentist I find your post quite amusing...

  • Requires... (Score:2, Interesting)

    by Anonymous Coward

    Remote management login+password. Telnet connection.

    Neither of which is enabled on our TP-Link router.

    • Re:Requires... (Score:5, Interesting)

      by bobbied ( 2522392 ) on Tuesday May 26, 2015 @02:15PM (#49776849)

      Remote management login+password. Telnet connection.

      Neither of which is enabled on our TP-Link router.

      As far as you know.... Unfortunately there are some (dare we say MOST) people out there which don't know enough to turn off such nonsense, not to mention ISP's (like Verizon) who actually open ports unbeknownst to the end user so they can remotely manage your router when you call them with a technical support issue...

      • It doesn't help that more than a few router firmwares, whether out of malice or incompetence, simply ignore configuration changes made through their configuration interface. The checkbox may even be there, and may even stay checked or unchecked correctly across reboots; but the actual status of the device just doesn't change.

        I had to retire a POS Netgear unit(WNDR3400, in case anyone cares); because it simply ignored the 'Enable Wireless Protected Setup' option. I chose 'hell no'; because WPS is known fa
        • I believe that your router IS supported by OpenWRT depending on the hardware version you have. I highly recommend OpenWRT. It's a bit more difficult to set up than most commercial offerings, but it's flexible and safe.
  • by NotARealUser ( 4083383 ) on Tuesday May 26, 2015 @02:06PM (#49776789)
    This is not a story, and not really a Linux problem. The worm relies on weak passwords to execute code. This is about as newsworthy as telling me that car thieves found a way to exploit Fords that have the keys left in them.
    • by gstoddart ( 321705 ) on Tuesday May 26, 2015 @02:07PM (#49776797) Homepage

      Oh, I don't know ... the steaming shitpile which is the state of security on consumer electronics bears repeating.

      Because apparently it isn't going to go away any time soon.

      • The fact that there are telnet services listening on WAN ports 15 years after OpenSSH became available makes me suspect that nothing short of a vigorous scourging with nuclear fire could solve the utterly lax approach to even rudimentary security in consumer electronics.

        Well, that and DRM. Tell 'em that the pirates will steal their precious 'premium content' and suddenly they get real interested in security, albeit more in the 'building prisons' than 'building fortresses' sense of the word.
    • Unless this were a story about Microsoft, then it'd be fair game.

    • by Anonymous Coward

      Hopefully as people become more aware of such basic weaknesses, vendors will be under pressure to stop shipping devices with default credentials built-in, naively expecting grandma's and grandpa's to actually change them.

      • Hopefully as people become more aware of such basic weaknesses, vendors will be under pressure to stop shipping devices with default credentials built-in, naively expecting grandma's and grandpa's to actually change them.

        That's a big hope :-) When we install new wireless internet service in the various remote locations our customers live in, they purchase a wi-fi router from us and we configure the damn things ourselves. Unless they already have a router, of course, then we check it out and make sure it's locked down. It's the only way to be sure.

    • by cusco ( 717999 )

      It's not a Linux problem as such, but it is an OS programmer problem because they **allow** default passwords to survive first use without requiring that they be changed.

    • @NotARealUser: "This is not a story, and not really a Linux problem. The worm relies on weak passwords to execute code. This is about as newsworthy as telling me that car thieves found a way to exploit Fords that have the keys left in them."

      NO, NO, NO, if it was FORD then it would be referred to as ' cars ' with keys in them get hacked :)

      Especially if FORD were spending a lot of advertising money with the parent publisher :)
    • by clovis ( 4684 )

      This is not a story, and not really a Linux problem. The worm relies on weak passwords to execute code. This is about as newsworthy as telling me that car thieves found a way to exploit Fords that have the keys left in them.

      This is more like "dealerships hide a spare key under every car, but they don't tell the owner".

  • by mlts ( 1038732 ) on Tuesday May 26, 2015 @02:39PM (#49777029)

    I wish more routers came either with a local method of configuration (an onboard touchscreen display like a lot of LTE Wi-Fi routers, USBSerial, or perhaps just a good old fashioned serial port, with a USB dongle and cable.) From there, one could configure some form of 2FA, which does mitigate the aspect of a compromised PC or network.

    • Two-factor auth is so far ahead of the current situation that the risk of 'what if they try to configure the router from a compromised PC?' probably isn't on the radar.

      What I would love to see, though, would be a router that uses some USB or NFC security fob for idiot-proof and robust VPN setups: just imagine: plug the fob into the router, or set it on the NFC pad, press the 'bless' button; and the router would perform the appropriate cryptographic handshaking with the fob, and provide the configuration
      • by mlts ( 1038732 )

        The blessed fob idea could be used for a lot more than that, assuming BT or NFC connections (for short range items.) Not just for the network connections, but for things like recovering a lost password on a machine.

        As you said, the concept of a physical key is a lot more common, and intuitive to a lot of people, so that might be a way of doing security on a home user basis.

        No, this isn't perfect... but it would help immensely with security and close a lot of remote attack holes.

        Excellent idea.

        • I think that you could bodge together a proof of concept with basically any router and either a smartcard reader that supports CAC-style behavior, or any of the fobs that can do keypair auth(I know yubikeys can, I haven't done much poking around); but the one snag is that, to my knowledge, there's nothing (at least nothing remotely standard) that does both robust crypto token and just enough writeable storage for the little bit of configuration data that would allow a user without much technical aptitude to
      • Excellent idea. Needs to be tweaked somehow to support phones\tablets that don't have (standard) USB ports. But the idea is good.

  • by Anonymous Coward

    Will the counter to this be SQUIRREL?

  • 'the Moose worm [takes advantage of] weakly configured with poorly chosen login credentials.'

    Jeeezus J. Jehovah, is this what slashdot has been reduced to reporting as technical information, a so called WORM can login to devices with weak or default passwords?
  • Just start using any of the open source firmwares that are constantly tweaked and updated (almost to a fault) like Tomato and DDWRT. They are very flexible and have different flavors to fit your needs and nothing you don't want so as to lessen the target size and entryway vector number and are fully auditable. I recommend the Toastman tomatousb vintage with VPN and 5ghz.

  • Thar worm code is better documented then anything I've ever worked on.

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...