A moose once bit my honeypot – A story of an embedded Linux botnet
Embedded Linux platforms, labeled “Internet of Things” devices these days, have been increasingly targeted by malware authors in the last few years, with most infections resulting in the compromised system taking part in a botnet. While many of these botnets have been used to perform distributed denial of service (DDoS) or DNS hijacking attacks, we took the opportunity to thoroughly investigate a slightly different take on the Embedded Linux Botnet landscape.
Targeting Linux-based consumer routers, Linux/Moose is used by its operators to perform fraud on social networking sites like Facebook, Instagram, Twitter and YouTube. With this intent, it is built with SOCKS and HTTP proxying capabilities and a generic packet sniffer and exfiltration mechanism. To increase the size of its botnet, Linux/Moose uses several scanner threads that find and infect hosts, with the assistance of a C&C server to provide a binary specific to the victim’s architecture. Additionally, the malware has code to enable it to spread past firewalls and performs NAT traversal to allow the operator inside firewalled networks.
External link: Online presentation