A Moose Once Bit My Honeypot

A Story of an Embedded Linux Botnet

by Olivier Bilodeau (@obilodeau)

$ apropos

  • Embedded Linux Malware

  • Moose DNA (description)

  • Moose Herding (the Operation)

  • What’s New?

  • Take Aways

$ whoami

  • Malware Researcher at ESET

  • Infosec lecturer at ETS University in Montreal

  • Previously

    • infosec developer, network admin, linux system admin

  • Co-founder Montrehack (hands-on security workshops)

  • Founder NorthSec Hacker Jeopardy

Embedded Linux Malware

What marketing likes to call "Internet of Things Malware"

Malware Running On An Embedded Linux System


  • consumer routers

  • DVR

  • Smart TVs

  • IP Camera monitoring systems

  • …​

Caracteristics of Embedded Linux Systems

  • Small amount of memory

  • Small amount of flash

  • Non x86 architectures: ARM, MIPS

  • Wide-variety of libc implementations / versions

  • Same ABI-compatible Linux kernel (2.4 < x < 4.3)

  • Support ELF binaries

  • Rarely an integrated UI

  • Networked

Why Threats On These Systems Matters?

  • Hard to detect

  • Hard to remediate

  • Hard to fix

  • Low hanging fruit for bad guys

It’s Real

  • Several cases disclosed in the last two years

  • A lot of same-old background noise (DDoSer)

  • Things are only getting worse

Wait, is IoT malware really about things?

No. Not yet.

So what kind of malware can we find on such insecure devices?

  • Linux/Aidra

  • Linux/Bassobo

  • ChinaZ family (XOR.DDoS, …​)

  • Linux/Dofloo

  • Linux/DNSAmp (Mr Black, BillGates)

  • Linux/Gafgyt (LizardStresser)

  • Linux/Hydra

  • Linux/Tsunami

  • …​

Lesson Learned #0

Statically-linked stripped binaries

Static/stripped ELF primer

  • No imports (library calls) present

  • All the code bundled together down to kernel syscall

  • Disassembler (if available for arch) doesn’t help much

Linux/Moose binary in IDA

ELF static stripped

printf family

ELF fct printf proximity

Ecosystem makes it worst [for reversers]

  • GCC and GNU libc are always changing so compiled binaries always change

  • Little IDA FLIRT signatures available (if any)

  • Various C libraries: µClibc, eglibc, glibc, musl, …​

A Failed Attempt

Better Solution

  • Reproduce environment (arch, libc/compiler versions)

  • Build libraries w/ symbols under same conditions

  • Use bindiff to map library functions

  • Focus on malware code

Lesson #0

  • Going down to syscalls is too long in large binaries

  • Find a close match of C library

  • Build with symbols

  • Bindiff it (or maybe FLIRT it)

Lesson Learned #1

Be careful of strings and AV variant names

Anti-Virus Variants

and Strings

$ strings moose_mips.elf
cat /proc/cpuinfo
GET /xx/rnde.php?p=%d&f=%d&m=%d HTTP/1.1
Host: www.getcool.com
Connection: Keep-Alive

Lesson #1

  • Be careful with detection names

  • Don’t request domain take down based on output of strings

  • and don’t do so for other people’s research!

Misleading Strings

design good

Moose DNA

aka Malware description

Hang tight, this is a recap


  • Discovered in November 2014

  • Thoroughly analyzed in early 2015

  • Published a report in late May 2015


Named after the string "elan" present in the malware executable

elan strings

Elan is French for

moose silly

The Lotus Elan

lotus elan


The Slovak rock band (from 1969 and still active)


  • Statically linked stripped ELF binary

  • ARM (GNU EABI and EABI 5)

  • MIPS (little and big endian)

  • No x86 sample found

  • C&C IP in integer form buried in all this code

MIPS/ARM + statically linked + stripped + no x86

design good

Strings not obfuscated

design bad

Network capabilities

  • Pivot through firewalls

  • Home-made NAT traversal

  • Custom-made Proxy service

    • only available to a set of authorized IP addresses

  • Remotely configured generic network sniffer

  • DNS Hijacking

Lesson Learned #2

Don’t assume it’s custom when it can be a standard protocol

Proxy with access from C&C authorized IPs only

design good

C&C IP is hardcoded

  • No fallback domains or DGA

design bad

Attack Vector

  • Telnet credentials bruteforce

  • Wordlist of 304 user/pass entries sent by server

Compromise Protocol

moose infection process

Can perform cross-arch infections

design good

No further spreading if C&C is down

design bad

Missing: Persistence

design meh

Literally kills competition

design good

Lesson Learned #3

Less RE, more honeypot!



  • Launch the binary in a debian MIPS qemu image

  • Reachable from the Internet

  • Watch it behave

  • Firewall it


  • Aurel images: https://people.debian.org/~aurel32/qemu/mips/

  • Qemu command:

    qemu-system-mips -M malta \
            -no-reboot -nographic \
            -kernel vmlinux-3.2.0-4-4kc-malta \
            -hda debian_wheezy_mips_standard.qcow2 \
            -append "root=/dev/sda1 console=ttyS0" \
            -redir tcp:10073::10073 -redir tcp:22::22 -redir tcp:23::23

Lesson #3

  • We were too careful

  • Everything we learned operationally was because of infected host

Hard to track malware

design good

Moose Herding

The Malware Operation

Via C&C Configuration

  • Network sniffer was used to steal HTTP Cookies

    • Twitter: twll, twid

    • Facebook: c_user

    • Instagram: ds_user_id

    • Google: SAPISID, APISID

    • Google Play / Android: LAY_ACTIVE_ACCOUNT

    • Youtube: LOGIN_INFO

Sniffing HTTPS Cookies

design meh

Via Proxy Usage Analysis

  • Nature of traffic

  • Protocol

  • Targeted social networks

75%+ HTTPS but…​

An Example

fraud example 1

An Example (cont.)

fraud example 2

An Example (cont.)

fraud example 3

An Example (cont.)

fraud example 4

Fraud hidden in HTTPS

design good

Except Instagram first hit

design bad

Latest Developments

Whitepaper Impact

  • Few weeks after the publication the C&C servers went dark

    • After a reboot, all affected devices should be cleaned

    • But victims compromised via weak credentials, so they can always reinfect

Alive or dead?

port 10073 stats

Alive or dead? (cont.)

  • On the lookout for Moose v2

  • Looked at over 150 new samples targeting embedded Linux platforms

Found Update

  • New proxy service port (20012)

  • C&C selection on CLI

  • C&C server returns 404 on unknown bots

  • Still under analysis

  • Still trying to get infected

Reading research papers and adapting

design very nice

port 20012 stats v2

Take Aways

Research artifacts released

Embedded malware

  • Not yet complex

  • Tools and processes need to catch up

  • a low hanging fruit

  • Prevention simple



Thank you!

  • @obilodeau

  • and special thanks to Thomas Dupuy (@nyx__o)