Linux/Moose Worm Targets Routers, Modems, and Embedded Systems

An anonymous reader writes: Security firm ESET has published a report on new malware that targets Linux-based communication devices (modems, routers, and other internet-connected systems) to create a giant proxy network for manipulating social media. It's also capable of hijacking DNS settings. The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+. Affected router manufacturers include: Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, and Zhone. The researchers found that even some medical devices were vulnerable to the worm, though it wasn't designed specifically to work with them.

Finally, a use for facebook.

[BarbaraHudson]

The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+.

I like it :-)

Re:

[BarbaraHudson]

That makes one more use for it than we can find for you.

That's great because I really don't want to be "used" by you. :-)

Re:

[aynoknman]

The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+.

I like it :-)

I don't quite follow you

Re:

[BarbaraHudson]

I haven't seen predestination yet, but if it's anything like the short story it was based on, I will definitely like it. It's a real mind-bender.(hum "I'm my own grandpa ...")

Nobody likes this hijacking crap, but it is what it is ... if there's money in it, the cockroaches will be there.

Re:

[fisted]

Has anyone seen a ton of <b> tags? I think he lost his stash.

Re:

[fisted]

This makes me want to cuddle you

Re:

[fisted]

I think you forgot to sign that post with your usual signature, my challenged friend.

Re:

[fisted]

you make ME look GOOD

Glad I could help, you seem to desperately need it.

Re:

[weilawei]

Lay off dude. He's having a reasonable discussion.

Re:

[fisted]

Hahahahahahah. See sibling and what follows.

Re:

[fisted]

It's more because I don't feel like wasting excessive time on dealing with trolls, my dear challenged friend. Go play with your windows. Sheesh.

No worries mate

[Anonymous Coward]

The Moose worm does not rely upon any underlying vulnerability in the routers – it is simply taking advantage of devices that have been weakly configured with poorly chosen login credentials.

Re:

[chipschap]

Which raises the question, why is this even news? Is it more Linux/open-source bashing by the commercial OS crowd? It doesn't even make sense. Turn on remote admin and leave a default password in place, and it's the fault of Linux when you get hacked?

Re:No worries mate

[cusco]

The simple fact that you can leave the device with a default password encompasses several levels of stupidity. 1) Programmers who do not require password to be changed, 2) Manufacturers who will install that firmware, 3) Customers who leave it that way. Level 3 shouldn't even be possible except for stupidity and laziness in Level 1 and 2.

Re: No worries mate

[Anonymous Coward]

Or programmers who leave hard coded, unremovable credentials in embedded systems?

Re:

[Grishnakh]

1) Programmers who do not require password to be changed,

Hey, don't blame the programmers. Most likely, someone did suggest requiring the password to be changed, and management said no for some dumb reason.

Re:No worries mate

[fuzzyfuzzyfungus]

It's news not because of OS(I don't know if they bothered; but exploits at the 'just use the default password against the external telnet interface' level would work against basically any OS, and the only real obstacle to executing a payload with the functions described would be that some of the really nasty VXworks-based devices are so RAM-starved that they can barely do their job, much less run malware at the same time); but because the security of nearly all 'consumer', and a disturbing number of more expensive, embedded devices is still utter shit.

It is bad enough that such plastic-box devices typically are shipping software well behind the curve(2.6X kernels, http servers with vulnerabilities that were closed upstream months before the device in question was released, that sort of thing); but 'default configuration leaves telnet listening on the WAN port, with weak credentials for root login' goes well beyond 'bug' and right into 'We Just Don't Care' territory. Even better, the same damn story has been true for at least the past decade, probably longer(though its importance has increased as the cost has fallen and number of little embedded boxes lurking around has skyrocketed).

At least on the desktop and server, some of the worst insecure-by-default atrocities have been ironed out, so attackers are now moderately likely to need to use vaguely clever vulnerabilities(even if they can often get away with ones that were patched months ago) or social engineering; but embedded crap hasn't even reached that level of security.

The fact that telnet is even there(outside of 'recovery' scenarios, where the emergency nature of the situation and availability of only the most limited resources make super-simple protocols like telnet and TFTP valuable) when OpenSSH has been available for the last 15 years, and less liberally licensed versions a bit longer, is disgusting in itself. Having it on the WAN, much less by default, is just depraved.

Re:

[account_deleted]

Comment removed based on user account deletion

Not only Linux

[DrYak]

Which raises the question, why is this even news? Is it more Linux/open-source bashing by the commercial OS crowd?

In fact not all of them even run Linux. AFAIK, Zyxel use their own proprietary OS, call ZyNOS (Zyxel Network Operating System).
The fact that their are listed here shows that the worm doesn't rely on a Linux vulnerability.

If Windows Embed had made any significant inroads as a router OS (haha...) it would probably also be among the vulnerable targets.

Re:

[Anonymous Coward]

Many Zyxel consumer routers seem to use Linux.

So basically . . .

[Anonymous Coward]

. . . turn on remote administration and leave the default username/password and you get m00sed? Cool.

A Møøse once bit my sister... No realli! She was Karving her initials on the møøse with the sharpened end of an interspace tøøthbrush given her by Svenge - her brother-in-law - an Oslo dentist and star of many Norwegian møvies: "The Høt Hands of an Oslo Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"...

Re:

[mark_reh]

As a dentist I find your post quite amusing...

Re:

[unrtst]

As a dentist, you don't spend much time at the movies or watching TV.

YMMV, but my dentist has netflix on a big screen in a comfortable place to watch while someone picks around inside your mouth.

Re:

[mark_reh]

No, I don't have much time for either. I'm too busy saving the world, one tooth at a time.
Was that Monty Python?

Requires...

[Anonymous Coward]

Remote management login+password. Telnet connection.

Neither of which is enabled on our TP-Link router.

Re:Requires...

[bobbied]

Remote management login+password. Telnet connection.

Neither of which is enabled on our TP-Link router.

As far as you know.... Unfortunately there are some (dare we say MOST) people out there which don't know enough to turn off such nonsense, not to mention ISP's (like Verizon) who actually open ports unbeknownst to the end user so they can remotely manage your router when you call them with a technical support issue...

Re:

[Anonymous Coward]

Hint: unplug it from the cable/dsl network.

Mine is a black box until I unplug it from the network. It then comes up with a 192.168 address and I can hit it with a web browser. The logs provided all the info I need and I had access to reset the admin password as well as re-flash the device.

I was surprised that after setting a secure admin password the cable company could just bypass it once it was back on there network.

BTW: I bought and paid for the cable modem. It belongs to me and as such I should have ful

Re:

[Anonymous Coward]

>BTW: I bought and paid for the cable modem. It belongs to me and as such I should have full rights to the unit.

Only until you connect it to someone else's network.

Re:

[Em Adespoton]

I was surprised that after setting a secure admin password the cable company could just bypass it once it was back on there network.

That's because you've changed the admin password only. Above the admin password is a support password that has more privileges, and then the root password that rules them all. Your ISP holds these other two accounts that aren't visible from the Admin settings.

Re:

[Em Adespoton]

Don't forget the ex-employees too... including the ones that were fired with cause.

Re:

[Anonymous Coward]

My Motorola Surfboard works similar.

After booting up it will try to download and verify the signature on its config file from the ISP. If it works, it bridges ISP traffic and DHCP packet(s) go to and are answered by them.

If it can't get link on the docsis side, or can't download that config, or can't verify the signature on it, then it puts 192.168.100.1 on its LAN interface and runs a DHCP and web server.

One nice trick to use:
Boot the modem disconnected from the cable then connect a PCish device. On the

Re:

[eedwardsjr]

Try browsing to 192.168.100.1

Re:

[fuzzyfuzzyfungus]

Cable modems are a bit of a special case, and not in a good way. By design, they do what is called "DOCSIS Provisioning". As you might imagine, given that the 'Data over Cable Service Interface Specification' is produced by CableLabs, an industry R&D and standards organization operated by cable companies; the process is designed for the convenience of the service provider, not for the user.

Most cable modems do have some sort of web interface, config settings to fiddle with, etc.; but when you connect

Re:

[fuzzyfuzzyfungus]

It doesn't help that more than a few router firmwares, whether out of malice or incompetence, simply ignore configuration changes made through their configuration interface. The checkbox may even be there, and may even stay checked or unchecked correctly across reboots; but the actual status of the device just doesn't change.

I had to retire a POS Netgear unit(WNDR3400, in case anyone cares); because it simply ignored the 'Enable Wireless Protected Setup' option. I chose 'hell no'; because WPS is known fa

Re:

[bobbied]

I believe that your router IS supported by OpenWRT depending on the hardware version you have. I highly recommend OpenWRT. It's a bit more difficult to set up than most commercial offerings, but it's flexible and safe.

Re:

[fuzzyfuzzyfungus]

I'll have to check again. It wasn't when I pulled it; but that may have changed, and it is still in my reserve drawer.

Not news... Use better passwords.

[NotARealUser]

This is not a story, and not really a Linux problem. The worm relies on weak passwords to execute code. This is about as newsworthy as telling me that car thieves found a way to exploit Fords that have the keys left in them.

Re:Not news... Use better passwords.

[gstoddart]

Oh, I don't know ... the steaming shitpile which is the state of security on consumer electronics bears repeating.

Because apparently it isn't going to go away any time soon.

Re:

[fuzzyfuzzyfungus]

The fact that there are telnet services listening on WAN ports 15 years after OpenSSH became available makes me suspect that nothing short of a vigorous scourging with nuclear fire could solve the utterly lax approach to even rudimentary security in consumer electronics.

Well, that and DRM. Tell 'em that the pirates will steal their precious 'premium content' and suddenly they get real interested in security, albeit more in the 'building prisons' than 'building fortresses' sense of the word.

Re:

[MobileTatsu-NJG]

Unless this were a story about Microsoft, then it'd be fair game.

Re:Not news... Use better passwords.

[countSudoku()]

Okay, here you go:

I routinely "break into" fellow admin's Windows systems when they leave without locking their screen! Fucking Windows!

Re:

[Anonymous Coward]

Hopefully as people become more aware of such basic weaknesses, vendors will be under pressure to stop shipping devices with default credentials built-in, naively expecting grandma's and grandpa's to actually change them.

Re:

[SgtAaron]

Hopefully as people become more aware of such basic weaknesses, vendors will be under pressure to stop shipping devices with default credentials built-in, naively expecting grandma's and grandpa's to actually change them.

That's a big hope :-) When we install new wireless internet service in the various remote locations our customers live in, they purchase a wi-fi router from us and we configure the damn things ourselves. Unless they already have a router, of course, then we check it out and make sure it's locked down. It's the only way to be sure.

Re:

[cusco]

It's not a Linux problem as such, but it is an OS programmer problem because they **allow** default passwords to survive first use without requiring that they be changed.

Re:

[cusco]

Something tells me that you're too dumb to know how to create a user account, AC. There are plenty of devices that require you to change the password the first time you log into them, there is absolutely no reason NOT to do that except for laziness.

Re:

[dave420]

Yes, but that has nothing to do with the OS, as your post seemed to imply. That is what the AC was talking about - your peculiar choice of terms.

Re:

[nickweller]

@NotARealUser: "This is not a story, and not really a Linux problem. The worm relies on weak passwords to execute code. This is about as newsworthy as telling me that car thieves found a way to exploit Fords that have the keys left in them."

NO, NO, NO, if it was FORD then it would be referred to as ' cars ' with keys in them get hacked :)

Especially if FORD were spending a lot of advertising money with the parent publisher :)

Re:

[clovis]

This is not a story, and not really a Linux problem. The worm relies on weak passwords to execute code. This is about as newsworthy as telling me that car thieves found a way to exploit Fords that have the keys left in them.

This is more like "dealerships hide a spare key under every car, but they don't tell the owner".

Time for 2FA for the local router?

[mlts]

I wish more routers came either with a local method of configuration (an onboard touchscreen display like a lot of LTE Wi-Fi routers, USBSerial, or perhaps just a good old fashioned serial port, with a USB dongle and cable.) From there, one could configure some form of 2FA, which does mitigate the aspect of a compromised PC or network.

Re:

[fuzzyfuzzyfungus]

Two-factor auth is so far ahead of the current situation that the risk of 'what if they try to configure the router from a compromised PC?' probably isn't on the radar.

What I would love to see, though, would be a router that uses some USB or NFC security fob for idiot-proof and robust VPN setups: just imagine: plug the fob into the router, or set it on the NFC pad, press the 'bless' button; and the router would perform the appropriate cryptographic handshaking with the fob, and provide the configuration

Re:

[mlts]

The blessed fob idea could be used for a lot more than that, assuming BT or NFC connections (for short range items.) Not just for the network connections, but for things like recovering a lost password on a machine.

As you said, the concept of a physical key is a lot more common, and intuitive to a lot of people, so that might be a way of doing security on a home user basis.

No, this isn't perfect... but it would help immensely with security and close a lot of remote attack holes.

Excellent idea.

Re:

[fuzzyfuzzyfungus]

I think that you could bodge together a proof of concept with basically any router and either a smartcard reader that supports CAC-style behavior, or any of the fobs that can do keypair auth(I know yubikeys can, I haven't done much poking around); but the one snag is that, to my knowledge, there's nothing (at least nothing remotely standard) that does both robust crypto token and just enough writeable storage for the little bit of configuration data that would allow a user without much technical aptitude to

Re:

[Aristos Mazer]

Excellent idea. Needs to be tweaked somehow to support phones\tablets that don't have (standard) USB ports. But the idea is good.

Moose and...

[Anonymous Coward]

Will the counter to this be SQUIRREL?

New malware that targets week passwords?

[nickweller]

'the Moose worm [takes advantage of] weakly configured with poorly chosen login credentials.'

Jeeezus J. Jehovah, is this what slashdot has been reduced to reporting as technical information, a so called WORM can login to devices with weak or default passwords?

Attn. Router Owners

[Guy From V]

Just start using any of the open source firmwares that are constantly tweaked and updated (almost to a fault) like Tomato and DDWRT. They are very flexible and have different flavors to fit your needs and nothing you don't want so as to lessen the target size and entryway vector number and are fully auditable. I recommend the Toastman tomatousb vintage with VPN and 5ghz.

Do know what the saddest part is?

[CaptainLugnuts]

Thar worm code is better documented then anything I've ever worked on.