Linux/Moose [Threat Name]

Detection created2015-03-13
Short description

The worm serves as a backdoor. It can be controlled remotely.


The worm is usually found in the following folder:

  • /var/
  • /dev/

The following filename is used:

  • elan2

The worm tries to copy itself to the available remote computers.

The worm generates various IP addresses.

It tries to connect to the remote machine on port:

  • 23 (TCP, Telnet)

The worm attempts to bruteforce login credentials.

Username and password combination list it received from C&C malware server.

If successful, the remote computer may attempt to download the copy of the worm from the Internet.

This copy of the worm is then executed.

Information stealing

The worm collects sensitive information when the user browses certain web sites.

The worm collects the following information:

  • cookies

The following services are affected:

  • Twitter
  • Facebook
  • Instagram
  • Google
  • Google Play
  • Youtube

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of URLs. The TCP protocol is used.

It can execute the following operations:

  • monitor network traffic
  • set up a proxy server
  • open ports
  • terminate running processes
  • send unidentified fraud traffic to popular social networks

The worm opens TCP port 10073 .

The worm may execute a " DNS redirection " attack, which can cause redirection of network traffic to the attacker's web sites.

For further information follow the links below:

* Dissecting Linux/Moose: a Linux Router-based Worm Hungry for Social Networks

* Dissecting Linux-Moose

Please enable Javascript to ensure correct displaying of this content and refresh this page.