In a technical paper issued this month by Olivier Bilodeau and Thomas Dupuy, ESET security researchers have detailed a new malware threat designed to infect consumer routers and other networked devices, including hardware provided by a user"s ISP. Linux/Moose, the malware identified, is setup to eavesdrop on any communications to devices behind an infected router, with a special eye towards social networking sites, where it will perform "social networking fraud" on Twitter, Facebook, Instagram, YouTube, and others. It will also attempt to infect other routers that it talks to.
This is a particularly troublesome find, as it affects a lot of commonly used home hardware based on MIPS and ARM architectures, and would be quite difficult to detect for the average user who has no capability to analyze malware infecting their network infrastructure. In 24 hours of analysis, ESET measured the worm"s aggressiveness in finding new hosts to infect, and discovered that almost 170,000 connection attempts were made to 23,000 unique hosts in an attempt to spread, and when an Internet scan was made of a random sampling of IP addresses, they detected upwards of 50,000 potentially infected hosts.
The paper lists a number of vendors that they have confirmed sell susceptible devices: Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, Zhone. They also mention that it is highly likely that some medical devices are such as Drug Infusion Pumps could be infected by Linux/Moose, however since the discovered purpose of this malware so far appears to be social media fraud, that might not be as dangerous as it sounds. The real use cases discovered by the researchers so far is to create a network of unique IP addresses for signing up for new social media accounts, as well as selling "likes" under the radar from many controlled accounts.
As sites move closer to only allowing HTTPS connections, problems like this will affect them less since it is near-impossible to steal the authentication token for a site that requires SSL, but malware like this is smart and uses DNS spoofing to downgrade from HTTPS to HTTP on sites that allow it. The paper itself is quite interesting, and presents a novel use case for imbedded device worms, which will become a greater and greater issue as the Internet of Things moves from buzzword to reality.