Brain Dump
  • Description
  • Reversing
    • IOLI Crackme 0x00
    • IOLI Crackme 0x01
    • IOLI Crackme 0x02
  • Malware Analysis
    • Mozi Botnet
    • VBS.Dunihi
    • SUNNYSTATION
    • PMA Chapter 1 - Labs
      • PMA Chapter 1-02 - Labs
      • PMA Chapter 1-03 - Labs
      • PMA Chapter 1-04 - Labs
Powered by GitBook
On this page

Was this helpful?

  1. Malware Analysis

Mozi Botnet

Mozi is a variant of Gafgyt, Mirai and IoT Reaper malware families. The main objective of this botnet is to do DDoS against IoT devices.

PreviousMalware AnalysisNextVBS.Dunihi

Last updated 4 years ago

Was this helpful?

I'll start with the initial information from the sample that i get. The sample is a ELF32 file that is packed with UPX. With the tool hexdump we can see the number magic of a ELF file and the signature of UPX packer.

In the process of unpacking the file i was having a error about file corrupted, someone like the image below. The error it was because the section p_info had a null value.

The next thing that we do is give the value of a section p_filesize because contain the same value. In the first image i highlight the section of p_info, it is a section of 12 bytes. And in the second image i highlight the section of p_filesize, so the the new value of is like the third image how.

With this actions the unpacking was satisfactory. So now with a simply strings we can see part of what Mozi can does. The devices that most attack this botnet are GPON Routers, Realtek, Huawei, DLink and Netgear.

Mozi uses the protocol of remote configuration for Routers [TR-069] and put a password to the connection.

cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"
cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"

sendcmd 1 DB set MgtServer 0 Tr069Enable 1
sendcmd 1 DB set PdtMiddleWare 0 Tr069Enable 0
sendcmd 1 DB set MgtServer 0 URL http://127.0.0.1
sendcmd 1 DB set MgtServer 0 UserName notitms
sendcmd 1 DB set MgtServer 0 ConnectionRequestUsername notitms
sendcmd 1 DB set MgtServer 0 PeriodicInformEnable 0
sendcmd 1 DB save

A interesting thing is that Mozi put some iptables rules to prevent someone else attacking the compromised device.

iptables -I INPUT  -p tcp --destination-port 35000 -j DROP
iptables -I INPUT  -p tcp --destination-port 50023 -j DROP
iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
iptables -I INPUT  -p tcp --destination-port 7547 -j DROP
iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
iptables -I INPUT  -p tcp --destination-port 58000 -j DROP
iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
iptables -I INPUT  -p tcp --destination-port 22 -j DROP
iptables -I INPUT  -p tcp --destination-port 23 -j DROP
iptables -I INPUT  -p tcp --destination-port 2323 -j DROP
iptables -I OUTPUT -p tcp --source-port 22 -j DROP
iptables -I OUTPUT -p tcp --source-port 23 -j DROP
iptables -I OUTPUT -p tcp --source-port 2323 -j DROP

Mozi uses the DHT protocol to build their P2P network and put another iptables rules to routing the traffic.

iptables -I INPUT  -p udp --destination-port %d -j ACCEPT
iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
iptables -I PREROUTING  -t nat -p udp --destination-port %d -j ACCEPT
iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
dht.transmissionbt.com:6881
router.bittorrent.com:6881
router.utorrent.com:6881
bttracker.debian.org:6881
212.129.33.59:6881
82.221.103.244:6881
130.239.18.159:6881
87.98.162.88:6881

In the table below i put the IOCs from the sample.

Type

Value

URL

hxxp://222.82.155.100:54591/Mozi.m

md5

9a111588a7db15b796421bd13a949cd4 | Mozi.m packed

md5

93828e909cb0c9b960a5df6fb9ab9706 | Mozi.m unpacked

Hope you enjoy the Analysis and feel free to get in touch with me if you have questions or suggestions.

References

https://blog.netlab.360.com/mozi-another-botnet-using-dht/
https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/
https://stackoverflow.com/questions/1332107/how-does-dht-in-torrents-work