360 Netlab detects the Mozi botnet which take control Netgear, D-Link, Huawei routers

In the latest blog, the 360 Netlab ​​security team revealed the latest developments of the MOZI botnet, which mainly uses weak passwords and vulnerabilities to infect home routers. The router brands currently involved include Netgear, Huawei, and D-Link. In addition to the router, some home digital camcorders and surveillance cameras have also been infected. The botnet also uses a custom extended distributed hash table for connection. This is similar to P2P. Each infected router will become a relay node.

Most malware and botnets have remote control servers for receiving instructions, and of course, it is easier to disrupt these botnets when they are found. And this more advanced botnet has no server, and the entire infection relies on a large number of infected devices as nodes to redistribute controller instructions. The 360 Netlab ​​security team stated that the MOZI botnet uses this method of propagation faster, and at the same time, it can use P2P to hide abnormal traffic to make tracking more difficult. The botnet author also uses advanced encryption algorithms ECDSA 384 and XOR to ensure the integrity and security of botnet components and P2P networks.

The botnet is not special in its spreading methods. It mainly uses weak passwords of these IoT devices and existing security vulnerabilities to infect. The so-called weak password means that many routers use very simple passwords, and even many devices use default simple passwords such as 123456. A security vulnerability refers to a security vulnerability in the router or camera firmware itself. An attacker can also use the vulnerability to infect a device without password confirmation. Hackers have used weak passwords and vulnerabilities in many attacks on the Internet of Things in the past.

The 360 ​​security team said that when the router is infected with malware, it will automatically connect to the botnet’s P2P, and then these devices will also become new attack nodes. Hackers will verify the nodes to ensure they are not hacked. Only verified commands or configuration files can be received by the botnet to synchronize all nodes.

After four months of tracking, the 360 ​​security team confirmed that the main purpose of the botnet author was to launch a DDoS. Hackers may take orders on the underground black market and then send a large amount of traffic to specific websites or servers, which are used to block the normal connection and access of these websites or servers. This situation is very common in the game industry, especially in online games. Usually, some competitors will interfere with the operations of other competitors in this way. However, the current 360 security team is not clear about the exact size of the botnet, and the team is currently trying to find ways to mix in the MOZI network to find more information.

The vulnerabilities used by Mozi Botnet are shown in the following table:

VULNERABILITY AFFECTED AEVICE
Eir D1000 Wireless Router RCI Eir D1000 Router
Vacron NVR RCE Vacron NVR devices
CVE-2014-8361 Devices using the Realtek SDK
Netgear cig-bin Command Injection Netgear R7000 and R6400
Netgear setup.cgi unauthenticated RCE DGN1000 Netgear routers
JAWS Webserver unauthenticated shell command execution MVPower DVR
CVE-2017-17215 Huawei Router HG532
HNAP SoapAction-Header Command Execution D-Link Devices
CVE-2018-10561, CVE-2018-10562 GPON Routers
UPnP SOAP TelnetD Command Execution D-Link Devices
CCTV/DVR Remote Code Execution CCTV DVR