Discovered in 2015, Linux/Moose is a family of malware that primarily targets Linux-based consumer routers, including those issued to consumers by ISPs, as well as other devices running on the MIPS and ARM architectures. It gains access by brute-forcing weak Telnet credentials. It then uses these compromised devices to create a botnet designed to steal unencrypted network traffic and provide proxy services to the operator. Since Linux/Moose can penetrate deep into a network, it can eavesdrop on packets that pass between devices behind infected routers, including desktop computers, laptops, and mobile devices. Essentially, these capabilities allow the operator to steal HTTP cookies on social media sites and perform a type of click-fraud that accumulates illegitimate view-counts, followers, and “likes” on social media posts. In addition, Linux/Moose includes DNS hijacking capabilities used to kill the processes of any competing malware infection in order to preserve the resources of the compromised device. Lastly, this botnet can be used to conduct Man-in-the-Middle (MitM) attacks by rerouting DNS traffic. Following the May 2015 release of a 54-page report on Linux/Moose by internet security company, ESET, the botnet’s C2 servers went offline and no further data could be collected on that campaign.

In September 2015, a new sample of the malware surfaced after the author made some changes to its code. The first change that researchers noticed was that the C2 server’s IP address was no longer stored inside the binary. Instead, the author included the C2 server’s IP address as an encrypted command line argument, making it difficult to extract and impossible to independently run the sample in a sandbox environment. The author also changed the network protocol from binary to ASCII printable protocol. Lastly, the author shortened his list of whitelisted IPs from 50 to 10 and reduced the number of default login credentials it supports from 300 to 10.


Image Source: WeLiveSecurity


Reporting and Technical Details

  • May 2015: Dissecting Linux/Moose – The Analysis of a Linux Router-Based Worm Hungry for Social Networks (ESET)
  • November 2016: Ego Market – When Greed for Fame Benefits Large-Scale Botnets (GoSecure)
  • November 2016: Linux/Moose: Still Breathing (ESET WeLiveSecurity Blog)
  • ESET maintains a list of Linux/Moose IoCs, as well as updated Yara, Suricata, and Snort rules, on their malware-IoC GitHub repository here.