This botnet is first surfaced by Netlab 360’s team of threat monitoring. They’ve flagged this new botnet after studying it for nearly four months. Named as Mozi, this new botnet is found using a part of Gafgyt’s code and is based on DHT protocol. While Gafgyt is just another malware infecting systems, Distributed Hash Table (DHT) is a custom protocol based on standard ones and is used commonly in torrent clients (and other P2P services. This protocol helps in hiding its malware payload behind the huge amount of DHT traffic, thus making it harder to detect the malicious code passing through the network. Further, it’s faster to expand connections in the network without the use of servers.
Infecting Methodology
After scanning the environment, Mozi finds a vulnerable device like router or CCTV with a weak password and cracks using telnet. After logging in, it then drops/executes the payload to take full control of the unpatched device. And this will be added to the P2P network immediately. After which, the devices in the network will be receiving commands from botnet master in executing and preferred actions as DDoS attacks. Aside, they’ll be searching other vulnerable devices nearby to add them to their network, thus expanding. The end result of acquiring all such devices would be for:
Performing DDoS attacks Collecting Information from Bot Executing system or custom commands Executing the payload of specified URL Updating the sample from the specified URL
As the team started researching since early September this year, they’ve found these devices to be vulnerable enough to be compromised and added to the P2P network. Suggestions to avoid being the part of the malicious network is to update the regular patches released by service providers.
Vulnerable Devices
D-Link Devices, Eir D1000 Router, DGN1000 Netgear routers, Netgear R7000 and R6400, Vacron NVR devices, MVPower DVR, Devices using the Realtek SDK, GPON Routers, Huawei Router HG532 and CCTV DVRs. Source: Netlab 360
