Petronella Blog Archive

Visit our New Blog

Linux Moose, The Social Network Spammer

Blog Post

A new worm looks for cable and DSL modems, routers and other devices and turns them into creators of fake social media accounts.  Called "Moose" because it uses a file named elan, which is French for moose, the malware watches for unencrypted cookies passing through the router or modem going to sites or apps like Facebook, Google, Instagram, Twitter and YouTube.  It scans for other vulnerable devices then does a number of unsavory things.

Moose can use shell commands to infect the router and change DNS settings, sending users to sites that look like real, trusted sites but are in fact fakes set up to steal information or further infect a user's computer.

The more interesting thing Moose does, however, is to set up proxies that connect to the worm's servers and communicate with social networks to set up fake accounts and add follows or other such actions to these accounts.  Moose can even control the amount of security scanning done to infected systems, lessening its chance of being discovered.

Moose seems to have been around since July of 2014 and while it's not known how many systems are infected with it, it does appear to be fairly widespread.  The good news is that when a router is turned off and turned back on, it disappears.  However, if a router has weak security, such as using a default or easy password, it's very easy for it to get infected again.