A Moose once bit my honeypot – A story of an embedded Linux botnet
Embedded Linux platforms, labeled “Internet of Things” devices these days, have been increasingly targeted by malware authors in the last few years, with most infections resulting in the compromised system taking part in a botnet. While many of these botnets have been used to perform distributed denial of service (DDoS) or DNS hijacking attacks, we took the opportunity to thoroughly investigate a slightly different take on the Embedded Linux Botnet landscape.
Targeting Linux-based consumer routers, Linux/Moose is used by its operators to perform fraud on social networking sites like Facebook, Instagram, Twitter and YouTube. With this intent, it is built with SOCKS and HTTP proxying capabilities and a generic packet sniffer and exfiltration mechanism. To increase the size of its botnet, Linux/Moose uses several scanner threads that find and infect hosts, with the assistance of a C&C server to provide a binary specific to the victim’s architecture. Additionally, the malware has code to enable it to spread past firewalls and performs NAT traversal to allow the operator inside firewalled networks.
This is more than a malware description talk, as we aim to share a story: our mistakes, our learning process, the knowledge we’ve gathered and some tips related to malware research in the field of embedded platforms. In practice, this means how we ran and monitored infected hosts, how we studied its network protocols, some of our interactions with third-parties, advice (with code) on reverse-engineering statically-linked stripped MIPS and ARM ELF binaries, and more. Lastly, we will discuss the design decisions made by the makers of this threat and their impact, good or bad, on our ability to perform research.