Social media users who pay for fake likes and follows may be getting an assist from the Linux/Moose IoT botnet.
Social media users who pay for fake likes and follows may be getting an assist from the Linux/Moose IoT botnet.

Not all Internet-of-Things botnets take down the Internet like Mirai did, but that doesn't necessarily mean they should be allowed to perpetuate. Yet that seems to be the case for Linux/Moose, a malware program that recruits IoT devices to engage in social media fraud, according to a pair of reports from ESET and GoSecure.

Discovered in 2014 and still kicking, Linux/Moose commands IoT bots under its control to create fake social accounts that fraudulently like and follow individuals or businesses on apps like Facebook and Instagram. After studying and decrypting Linux/Moose botnet's proxy traffic over six months, GoSecure determined that the vast majority of the traffic – 86 percent – was directed at Instagram, while another eight percent targeted Twitter.

GoSecure conducted the study by creating a custom honeypot to capture the suspect traffic, and then employed two forms of man-in-the-middle attacks on that traffic in order to decode the encryption.

Interestingly, GoSecure found that only 11 percent requests sent from the botnet to Instragram's server were made to follow another account and only two percent were for liking posts. The remainder – 87 percent – were programmed to click around the social media site and emulate the behavior of normal users in order to avoid being blocked by spam filters. The efforts were apparently effective, because when botnet did attempt to follow another account, it was successful 89 percent of the time.

However, the success was often short-lived: Of the 1,732 fake Instagram accounts that GoSecure observed Linux/Moose generate during its study, 72 percent were eventually suspended by the social media network. This may be because the accounts lacked authenticity; indeed, some accounts never posted anything and would use random inanimate objects such as plants as profile pictures. “Customers of the Linux/Moose botnet should therefore not expect to keep their followers and likes for long,” reads the GoSecure white-paper report.

According to GoSecure, Linux/Moose botnet customers are typically small businesses and aspiring celebrity-types looking to boost their credibility by appearing popular on social media platforms (a customer base the company referred to as the “Ego Market”). The Internet has myriad online services that charge money for likes and follows, generated automatically via botnets.

After determining that a single bot averages 1,186 Instagram new follows per month, GoSecure looked at the prices charged by various social media fraud services and determined that just one Linux/Moose bot generates service providers $13.05 in revenue per month. Extrapolating this data further, the company determined that a Linux-Moose botnet composed of 50,000 bots can produce revenues in the range of $700,000 per month.

Because these campaigns have no direct victim, law enforcement authorities tend to deprioritize social media fraud services, allowing them to openly advertise, the GoSecure report explained.

But in the wake of the Mirai attack that disrupted major websites across the Internet, might we see a concerted effort to crack down on IoT botnets, in any form? According to GoSecure cybersecurity research leader Olivier Bilodeau, any such movement to thwart Linux/Moose should start with the IoT manufacturers themselves. “Just having different administrative passwords for devices coming out of the manufacturing process would solve the whole thing,” said Bilodeau, in an interview with SC Media.

Meanwhile, ESET performed a technical analysis on Linux/Moose based on a variant it caught in September 2015, and detected several new updates since the IT security company released a white paper on the malware in May 2015.

According to ESET, the September 2015 variant no longer hardcoded its command-and-control IP address in its binary like the previous version did; instead, it hid the address in an encrypted command line argument. It also made changes in its network protocol in order to avoid some of its old indicators of compromise.