Researchers at ESET security have released a technical paper detailing their findings on malware that turns Linux-based devices into proxy servers that create fraudulent social media accounts.
The malware is a worm, dubbed the “Linux/Moose” by ESET researchers Oliver Bilodeau and Thomas Dupuy. According to the report, the worm targets consumer routers and modems including the hardware provided by Internet Service Providers (ISPs) to consumers. The worm has also infected the following vendors: Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, Zhone
Bilodeau told SCMagazine.com that the malware doesn't have to use existing vulnerabilities to log into the devices. All it needs to spread is a Linux based device running on the MIPS and ARM architectures that still has factory login credentials.
Linux/Moose also has DNS hijacking capabilities to enable man-in-the-middle attacks. The worm and will kill the processes of other malware families detected on the infected system.
The worm is able to spread because it has a mechanism that bypasses firewalls and looks for other routers in the area with similar providers and devices to infect.
“Once it has its foothold on a router it will start to eavesdrop on the communication that's going through it,” Bilodeau said. “If it catches certain characteristics in the information passing through it then it will steal the information and send it to a malicious server.”
The worm is also capable of creating fraudulent accounts on social networking sites including Twitter, Instagram, Vine and other social networking sites. These bogus accounts are used to steadily add followers to accounts over time, Bilodeau said.
Twitter and Vine accounted for 49 percent of the traffic that was monitored. By spreading the activity out over the infected routers it's harder for the social networking sites to flag the fraudulent activity.
The report notes that buying and selling “social media follower” is a lucrative business and the malware could be serving as a financial gain to cyber criminals.
Users can prevent infection by changing the default password and disabling the Telnet login and using SSH where possible. Researchers also recommend ensuring the router is not accessible from the Internet on ports 22 (SSH), 23 (Telnet), 80 (HTTP) and 443 (HTTPS). If your router is already infected a factory reset and changing the password is the best way to rid an infected device of the malware.