Linux/Moose [Threat Name]
| Detection created | 2015-03-13 |
Short description
The worm serves as a backdoor. It can be controlled remotely.
Installation
The worm is usually found in the following folder:
- /var/
- /dev/
The following filename is used:
- elan2
Spreading
The worm tries to copy itself to the available remote computers.
The worm generates various IP addresses.
It tries to connect to the remote machine on port:
- 23 (TCP, Telnet)
The worm attempts to bruteforce login credentials.
Username and password combination list it received from C&C malware server.
If successful, the remote computer may attempt to download the copy of the worm from the Internet.
This copy of the worm is then executed.
Information stealing
The worm collects sensitive information when the user browses certain web sites.
The worm collects the following information:
- cookies
The following services are affected:
- Google Play
- Youtube
The worm attempts to send gathered information to a remote machine.
Other information
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a list of URLs. The TCP protocol is used.
It can execute the following operations:
- monitor network traffic
- set up a proxy server
- open ports
- terminate running processes
- send unidentified fraud traffic to popular social networks
The worm opens TCP port 10073 .
The worm may execute a " DNS redirection " attack, which can cause redirection of network traffic to the attacker's web sites.
For further information follow the links below:
* Dissecting Linux/Moose: a Linux Router-based Worm Hungry for Social Networks