Attacking Linux/Moose 2.0 unraveled an EGO MARKET
Want to give your blog a push or your “gun show” more views? Then why not buy 50,000 fake followers for $1,000! Click farms from down South or botnets such as Game over Zeus will be more than happy to supply them for you.
For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet familiar to Botconf 2015’s attendees: Linux/Moose. The hunt was fastidious since Linux/Moose 2.0 has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spreads and is operated. To do so, we performed a large-scale HTTPS man-in-the-middle attack on several honeypots over the course of several months decrypting the bot’s proxy traffic. This gave us an impressive amount of information on the botnet’s activities: the name of the fake accounts it uses, its modus operandi to create fake follows and the identification of its consumers, companies and individuals.