Last-minute paper: Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet

Thursday 1 October 14:30 - 15:00, Green room

Olivier Bilodeau (ESET)

  download slides (PDF)

Embedded Linux platforms have been increasingly targeted by malware authors over the past few years. The targeted devices, labelled under the umbrella term 'Internet of Things', are generally consumer routers, gateways or modems. They are compromised remotely via brute-forcing of their credentials or being victim of an unpatched vulnerability, such as the infamous Shellshock. Most of these compromises result in the targeted system being assimilated into a botnet.

Recently active examples of embedded Linux botnets include Linux/Aidra, Linux/Dofloo (AES.DDoS), Linux/DNSAmp (Mr.Black), Linux.Gafgyt, Linux/Moose and Linux/Tsunami. Due to the availability of malware source code, several disjoint botnets co-exist; they target several architectures including ARM, MIPS and x86, with variants (or forks) of the threats being common. Of the aforementioned malware list, only Linux/Moose stands out as being one of the rare threats not in the DDoS business, with no x86 variant found and controlled by a single group of actors.

Linux/Moose is built with SOCKS and HTTP proxying capabilities as well as a generic packet sniffer with an exfiltration mechanism. It is used by its operators to commit follow, like and view fraud on social networking sites such as Facebook, Instagram, Twitter and YouTube. It has the ability to spread on its own with a little assistance from its C&C server to provide binaries specific to the victim's architecture. It targets ARM and MIPS architectures with the latter targeted in both big- and little-endian variants. Additionally, the malware has code to pivot past firewalls and perform NAT traversal to allow attackers to operate from within firewalled networks.

This talk will first describe some of the challenges of reverse engineering embedded malware and analysis. Then we will cover Linux/Moose and the way it was operated. Expanding on the paper we released last spring about this threat, we will give an update on the current status of the botnet and the various means we are using to find its next evolution. To conclude, we will draw some conclusions on whether our publication successfully scared the operators and killed the threat or not.

Click here for more details about the conference.