Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Mozi Botnet. Show all posts
Virus Attack
Linux malware Mirai botnet Mozi Botnet Ransom Attack Virus Attack

XorDDoS, Mirai, and Mozi are Most Prominent Linux-targeted Malware

 

Linux-based computers are numerous and are an integral component of the internet backbone, but Linux malware has increasingly targeted low-power Internet of Things (IoT) devices. With billions of internet-connected devices such as vehicles, refrigerators, and network equipment online, IoT devices have become a prominent target for malware and distributed denial of service (DDoS) attacks, in which junk data is aimed at flooding a target and knocking it offline. 

Although ransomware is currently wreaking havoc on the malware scene in a deluge of high-profile attacks, a recent study on Linux security finds it only ranks third among the top threat kinds. Such shift in attitude stems in part from an increasing recognition among Linux hobbyists and system administrators that a compromised Linux system, such as a web server, presents attackers with a high return on investment.' In addition, malware research has improved visibility into the dangers that Linux systems face in recent years. 

In 2021, the XorDDoS, Mirai, and Mozi malware families and variants emerged to be the most prevalent, accounting for over 22% of all IoT Linux-targeting malware, according to an analysis of the current Linux threat landscape. 

XorDDoS is a Linux trojan that has been developed for a variety of Linux architectures, including ARM, x86, and x64. It gets its name from the fact that it uses XOR encryption in malware and network connection with the C2 infrastructure. XorDDoS variations on Linux PCs demonstrate that operators monitor and hunt for Docker servers with the 2375 port open. The port provides an unencrypted Docker socket and remote root passwordless access to the host, both of which can be exploited by attackers to get root access to the machine. 

Mozi is a P2P botnet network that uses the distributed hash table (DHT) architecture and implements its own expanded DHT. Mozi can mask C2 communication behind a significant volume of valid DHT traffic thanks to DHT's distributed and decentralized lookup method. By brute-forcing SSH and Telnet ports, Mozi attacks computers. It then blocks those ports to prevent additional malicious actors or viruses from overwriting them. 

Mirai virus has earned a name for itself in recent years, especially when its creator made the source code public. Mirai, like Mozi, employs brute-force assaults to infiltrate devices using weak protocols and passwords, such as Telnet.

Many business-critical applications use Linux as one of their core operating systems. Protecting Linux servers, which can be found on-premises as well as in private and public clouds, necessitates a solution that delivers runtime protection and visibility for all Linux hosts, independent of location.
Read more »
Mozi Botnet
Chinese Hackers Chinese Law Enforcement malware Mozi Botnet

Mozi Botnet Creators Arrested by Chinese Law Enforcement Authorities

 

Cybersecurity researchers from the Chinese information security firm Netlab Qihoo 360 reported that at the beginning of this year the authors of the Mozi IoT botnet were detained by Chinese law enforcement authorities, nearly two years after the malware appeared on the threat landscape in late 2019.

“Mozi uses a P2P [peer-to-peer] network structure, and one of the 'advantages' of a P2P network is that it is robust, so even if some of the nodes go down, the whole network will carry on, and the remaining nodes will still infect other vulnerable devices, that is why we can still see Mozi spreading," said Netlab researchers.

The development takes place within two weeks after Microsoft Security Threat Intelligence Center disclosed the malware's new capabilities allows it to block the web traffic on compromised systems via techniques such as DNS spoofing and HTTP session hijacking aimed at redirecting users to malicious domains. 

At its peak, the malware infected up to 160,000 systems a day and in total managed to compromise more than 1,500,000 different devices, more than half of which (830,000) were located in China, according to a report from Netlab Qihoo 360. 

Mozi, which emerged from the source code of Mirai variants and the Gafgyt malware, has accumulated over 15,800 unique command and control nodes as of April 2020, up from 323 nodes in December 2019, according to a report from Lumen's Black Lotus Labs. By the time the malware was discovered by 360 Netlab researchers, it was actively targeting Netgear, D-Link, and Huawei routers by probing for weak Telnet passwords to compromise them.

Exploiting the use of weak and default remote access passwords as well as through unpatched vulnerabilities, the botnet propagates by infecting routers and digital video recorders to co-opt the devices into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload execution. 

According to Netlab, the creators of Mozi also packed in additional upgrades, which includes a mining trojan that spreads in a worm-like fashion through weak FTP and SSH passwords, expanding on the botnet's features by following a plug-in like approach to designing custom tag commands for different functional nodes. "This convenience is one of the reasons for the rapid expansion of the Mozi botnet," the researchers said. 

"The Mozi botnet samples have stopped updating for quite some time, but this does not mean that the threat posed by Mozi has ended. Since the parts of the network that are already spread across the Internet have the ability to continue to be infected, new devices are infected every day,” the researchers warned. 

The malware also used the DHT protocol to design a peer-to-peer (P2P) system between all the compromised devices, allowing bots to send updates and operational instructions to each other directly, which also allowed Mozi to continue to perform even without a central command and control (C&C) server.
Read more »
Subscribe to: Posts (Atom)