Moose Worm targets to infect a large number of IoT devices
Moose worm targets to infect IoT devices having weak password through Telnet channel. IoTPOT keeps on capturing Moose worm since August 2015. After successful login to IoT device through Telnet channel, Moose performs steps 1,2,3 as shown in Figure 1 for infection.
By sandbox analysis, we observed that Moose worm performs scans on TCP/23 and TCP/20012 and have a backdoor port on TCP/20012. The /24 networks of IP addresses scanned by Moose worm targeting both TCP/23 and TCP/20012 within one hour sandbox analysis are shown in Figure 2. By Figure 2, it can be seen clearly that Moose targets to scan and infect IP addresses successful login by Telnet.
In addition, by taking measure on IP addresses listening on TCP/23 and TCP/20012 in 2015 August, we could find networks in which a large number of IP addresses listening on TCP/23 and TCP/20012. By further analysis on these IP addresses in networks, we find out that these IP addresses exists in same AS and all IP have same Telnet banner as “Residential Gateway”. Thus, we presume that the same devices are distributed by same ISP and are largely infected as group because of the same vulnerability. For more information, please contact tie-ying-fc@ynu.jp,ezawa-yuta-xd.ynu.jp,nakayama-sou-ch@ynu.jp,yoshioka@ynu.ac.jp.