The rapid development of the Internet technology and Internet-connected devices has enabled cybercriminals to handpick their targets when it comes to building a botnet – some botnet operators stick to infecting classic computers, while others go after smart devices or home routers. In the case of the Mozi Botnet, the attackers have opted to try and infect vulnerable routers, and make them a part of their botnet. The group behind the Mozi Botnet appears to target a long list of router manufacturers that includes notable names like Huawei, D-Link and Netgear.
Malware experts suspect that the Mozi Botnet has been active since September, and during this time it has scanned the Web looking for routers using weak login credentials, or outdated firmware that is vulnerable to exploits actively.
The Mozi Botnet Uses the DHT Protocol that is Used by Peer-to-Peer Software
One of the interesting quirks of the Mozi Botnet is that it uses the Distributed Hash Table (DHT) protocol to look for devices and deliver the payload. This protocol is mostly used by peer-to-peer applications, and it is used to transfer enormous amounts of traffic, so the artificial DHT traffic found in the infected router's logs is unlikely to raise any red flags.
In terms of functionality, the Mozi Botnet has support for several commands that enable the operator to execute the following tasks on the infected device:
- Initiate a Distributed-Denial-of-Service attack using all active infected devices.
- Gather information about infected devices.
- Download and execute a payload from a URL.
- Upload a payload and execute it.
- Launch remote commands.
The Mozi Botnet is not a spectacular project, but the threatening operation has been expanding rapidly, and it seems that the number of infected devices continues to increase monthly. To make sure that your home or office router is protected, you should make sure to use a well built password, as well as apply the latest firmware updates that will eliminate public exploits.