Routers are actively being probed for weak Telnet passwords and taken over by a new peer-to-peer (P2P) botnet called Mozi, this is related to the Gafgyt malware as it reuses some of its code.
The Mozi Botnet uses its own extended DHT protocol to build a P2P network.
According to NetLab who discovered this botnet, Mozi infects new devices through weak telnet passwords and exploits. The infection process is as follows:
- The current Bot node randomly uses a local port to start the http service to provide sample downloads or receives the sample download address in the Config file issued by the Botnet Master.Provides a sample download address for future infected targets.
- The current Bot node logs in to the target device with a weak password, writes the downloader file in echo mode and runs it, and downloads the sample file from the sample download address provided by the current Bot node. Or use a vulnerability to exploit the target, and then obtain a sample file from the sample download address provided by the current Bot node.
- Run the Mozi Bot sample on the infected target device, join the Mozi P2P network to become the new Mozi Bot node and continue to infect other new devices.
The vulnerabilities used by Mozi Botnet are shown in the following table:
|Eir D1000 Wireless Router RCI||Eir D1000 Router|
|Vacron NVR RCE||Vacron NVR devices|
|CVE-2014-8361||Devices using the Realtek SDK|
|Netgear cig-bin Command Injection||Netgear R7000 and R6400|
|Netgear setup.cgi unauthenticated RCE||DGN1000 Netgear routers|
|JAWS Webserver unauthenticated shell command execution||MVPower DVR|
|CVE-2017-17215||Huawei Router HG532|
|HNAP SoapAction-Header Command Execution||D-Link Devices|
|CVE-2018-10561, CVE-2018-10562||GPON Routers|
|UPnP SOAP TelnetD Command Execution||D-Link Devices|
|CCTV/DVR Remote Code Execution||CCTV DVR|
Further details can be found at – https://blog.netlab.360.com/mozi-another-botnet-using-dht/