New Mozi P2P Botnet Takes Over Netgear, D-Link, Huawei Routers

Netgear, D-Link, and Huawei routers are actively being probed for weak Telnet passwords and taken over by a new peer-to-peer (P2P) botnet dubbed Mozi and related to the Gafgyt malware as it reuses some of its code.

Security researchers at 360 Netlab who discovered it and monitored its activities for roughly four months also found that the botnet's main purpose is to be used in DDoS attacks.

The botnet is implemented using a custom extended Distributed Hash Table (DHT) protocol based on the standard one commonly used by torrent clients and other P2P platforms to store node contact info.

This makes it faster to establish the botnet's network without the need to use servers, as well as easier to "hide the valid payload in the vast amount of normal DHT traffic so detection is impossible without proper knowledge," as 360 Netlab found.

Mozi also uses ECDSA384 and the XOR algorithm to assure the integrity and security of the botnet's components and the P2P network.

Propagation method and targeted devices

The malware uses telnet and exploits for propagation to new vulnerable devices by logging in to any targeted router or CCTV DVR that comes with a weak password, dropping and executing a payload after successfully exploiting unpatched hosts.

Once the malware is loaded on the now compromised device, the newly activated bot will automatically join the Mozi P2P network as a new node.

The next stage of the infection sees the new bot nodes receiving and executing commands from the botnet master, while also searching for and infecting other vulnerable Netgear, D-Link, and Huawei routers to add to the botnet.

"After Mozi establishes the p2p network through the DHT protocol, the config file is synchronized, and the corresponding tasks are started according to the instructions in the config file," the researchers explain.

To make sure that their botnet is not taken over by other threat actors, Mozi's operators set it up to automatically verify all commands and synced configs sent to the botnet's nodes, with only the ones passing these built-in checks being to be accepted and executed by the nodes.

The main instructions accepted by Mozi nodes are designed to:

As the 360 Netlab researchers found while monitoring Mozi activity since September 03 when they discovered the first sample, these are the ten unpatched devices the malware will attack, infect, and add to the P2P network:

P2P botnets increasingly more common

P2P botnets like Nugache and Storm (aka Peacomm), Sality P2P, Waledac, Kelihos (aka Hlux), ZeroAccess (aka Sirefef), Miner, and Zeus P2P raised huge armies for their masters since at least the beginning of 2006 but most of them are now extinct.

Others, such as Hajime Hide 'N Seek (aka HNS), are still scanning for vulnerable devices to compromise and zombify one by one.

Hide 'N Seek, for example, grew to over 90,000 devices in just a few days in September 2018, while Hajime 'zombified' around 300,000 infected devices in about six months after being first spotted during the fall of 2016.

Even though P2P botnets are known to be highly resilient against sinkholing attacks designed to disrupt and even shut them down, there are examples such as the ZeroAccess and Kelihos that are vulnerable.

Until more details about Mozi surfaces and gets examined for potential weaknesses, the feasibility of a sinkholing attack against it is anyone's guess. Till then, Mozi has everything it needs to keep harvesting bots if the routers and other devices it targets won't be patched.

Another P2P botnet dubbed Roboto and discovered by the same research team is also scanning the Internet for Linux servers running unpatched Webmin installations since it was first spotted during late-August.

Additional information on the inner workings of this new P2P botnet and malware sample hashes are available at the end of 360 Netlab's Mozi report.