Malware analysis

MOOSE Malware: Analysis

Security Ninja
July 6, 2015 by
Security Ninja

Part One of this series was a very basic level, and had only thrown light on what Moose Malware actually is, as well as its components and related IoC's. In this and the final part of this series on Moose Malware, we will try to focus more on analyzing the malware.

Infection Process

As we have learn in Part One that Moose malware is comprised of several components that further have many threads where each thread is set up for a different function. One of the main actors of Moose malware is the Scanner, whose main function is to scan for vulnerable systems. The Scanner component mainly has three threads:

  • One thread scans only random IP address to look out for vulnerable systems.
  • Then after finding some vulnerable routers, a second thread will scan the closely related IPs to the identified external IP by the first thread, Approximate by this thread is set to /15 (CIDR).
  • Third thread will scan for IPs on the interface broadcast address of IP found by the second thread in an incremental way.

The third thread, after identifying internal systems, will try to connect on TCP port 10073. If it can connect, means that the server is already infected. As soon as it finds that the connection is being established, it disconnects ad report that to C&C server. However if the connection is not established then it will try to connect to telnet service on (TCP port 23) and will bruteforce the login prompt with a username and password. This combination of username and password is provided by C&C server to the thread. Remember Moose spreads over routers that have weak usernames and passwords (Recap Part One).

Note: TCP port 10073 is the port on which Moose propagates. This information has already been shared in Part One.

When the bruteforce is successful, the Moose malware will respond back to its C&C server about the success. Below are the interesting fields used:

  • Message Type: This value is set to 14 to indicate that the bruteforce is successful.
  • IP address: IP address of the victim.
  • An important observation in this reporting to C7C server is that while the other fields are kept in little endian, IP address is kept it big endian.

    In reply, C&C server responds back with following fields:

    • HijackDNS: If this is set to 1, means try and hijack the DNS of this system
    • IP Address: IP address of the victim
    • Message Type: It is set to 14.
    • Below are the points that states how the C7C server will execute commands on the remote infected host:

      • After a successful telnet login to victim, C&C server will start issuing commands to the remote victim. However, before C&C server issues any command to the victim, Moose malware in the infected router will gather information about the host and send it to the C&C server. Below are the fields used by the Moose:
        • Message Type: This value is set to 15 to indicate to the C&C server that the login is successful.
        • Address: This is the IP address of the victim
        • Credentials: Set of username and password used to obtain the access.
        • Details: It contains information about the victim like what sort of commands can be executed on the system.
      • After receiving the victim info, C&C server will return the obfuscated commands back to the Moose Infected router. Below are the fields returned from the C&C server:
        • Command: This contains the obfuscated command from the C&C.
        • Size: Size of the command.
        • Steam: Whether there is a stream of commands sent by the server.
        • End: This value is set to 0 to indicate the end of commands.
      • Moose Malware in turn will render the command into a meaningful command and send it to the remote host for execution. The first thing the C7C server does is to gather the shell to execute the commands.

      Moose has very interesting features -- those that can act as HTTP proxy (with support of HTTPS), DNS hijacking, can act as Sniffer but there is also another very interesting of Moose is that it does not like competition so it kills them. Yes, you guessed it! It actually kills other malware present on the device/system as it does not like to share underlying resources. Every hour Moose will check for the processes under /proc/<pid> and searches through the cmdline file. This file will contain all the process details along with arguments passed at startup to them. Moose will kill all these processes it thinks are of the malware family. Question is how Moose come to know that which processes are malicious and which are not. Well, Moose has a hardcoded blacklist string with which it matches with the cmdline file. Examples of blacklisted strings are /Challenge,/.scan etc.


      Below are the steps that should be performed to get rid of Moose:

      1. Easy and Fast way is to use the change the password and reboot the system.
      2. However, the recommended way is to do a factory reset, reinstall along with change of password.


      Below are the steps that must be taken in order to prevent from being infected from Moose malware:

      1. First thing is to change the default username/password on network equipment.
      2. Since the Moose malware login via Telnet, so disable the insecure protocol. Instead use SSH.
      3. Make sure the router is not accessible on ports which Moose targets i.e. SSH, Telnet, HTTP, HTTPS
      4. Always upgrade the firmware as when released by the vendor.

      This article along with Part One of the series gives a good insight into Moose Malware. Also best practices as indicated above must be adopted for better protection.

      Security Ninja
      Security Ninja