What is the "Moose" worm and how can I protect myself from it?

Question

I have heard from others that there is a new worm called "moose". This actively targets and exploits home routers.

What are the effects of this exploit?

How can I protect myself from this?

Can I check if my router is vulnerable?

Answer 1

ESET released a report about the vulnerability here. Their key findings are:

• Linux/Moose targets consumer routers and modems including the hardware provided by Internet Service Providers (ISPs) to consumers
• The threat is built for deep network penetration spreading past firewalls
• It can eavesdrop on communications to and from devices connected behind the infected router, including desktops, laptops and mobile phones
• Moose runs a comprehensive proxy service (SOCKS and HTTP) that can be accessed only by a specific list of IP addresses
• The operators use the infected devices to perform social network fraud on Twitter, Facebook, Instagram, Youtube and more
• Moose can be configured to reroute router DNS traffic, which enables man-in-the-middle attacks from across the Internet
• It affects Linux-based embedded devices running on the MIPS and ARM architectures

If we look at how it spreads one statement is very important here:

Last but not least, this threat spreads only by compromising systems with weak or default credentials. No vulnerabilities are exploited by the malware. Although downplayed by system administrators, this attack vector has been effective at compromising a lot of Internet-connected systems. As FireEye recently stated: “Brute forcing credentials remains one of the top 10 most common ways an organization is first breached.

They have listed a some of the devices which may be affected:

Network equipment vendors

3Com, Alcatel-Lucent, Allied Telesis, Avaya, Belkin, Brocade, Buffalo, Celerity, Cisco, D-link, Enterasys, Hewlett-Packard, Huawei, Linksys, Mikrotik, Netgear, Meridian, Nortel, SpeedStream, Thomson, TP-Link, Zhone, ZyXEL

Appliances vendors

APC, Brother, Konica/Minolta, Kyocera, Microplex, Ricoh, Toshiba, Xerox

Internet of Things vendors

Hik Vision, Leviton

Indicators of compromise

If the credentials can be used via Telnet to login, if Telnet is enabled by default and if a shell access can be obtained by typing sh in the device’s prompt, then these are very good indicators that a device could be infected by Linux/Moose.

Prevention

Change default passwords on network equipment even if it is not reachable from the Internet. Disable Telnet login and use SSH where possible. Make sure that your router is not accessible from the Internet on ports 22 (SSH), 23 (Telnet), 80 (HTTP) and 443 (HTTPS). If you are unsure about how to perform this test, when you are at home, use the "common ports" scan from the ShieldsUP service from GRC.com. Make sure that the above mentioned ports receive a Stealth or Closed status. Running the latest firmware available from your embedded device vendor is also recommended.