Chinese authorities have arrested the authors of the Mozi botnet
Experts from the Chinese information security company Netlab Qihoo 360 reported that at the beginning of this year, the country’s authorities arrested the authors of the large Mozi botnet.
The company revealed its involvement in the investigation and the operation in two blog posts, one of which was published back in June and the other earlier this week. The researchers write that they helped track both the infrastructure of the botnet and its operators.
Interestingly, just a week ago, Microsoft experts reported on a new Mozi module that helps hackers to interfere with the traffic of infected systems using DNS spoofing and hijacking of HTTP sessions. Netlab Qihoo 360 experts say the module was part of a new Mozi feature set that botnet operators deployed shortly before the arrest, along with a module that installs cryptocurrency miners on infected systems.
Първо seen in 2019, Mozi has grown rapidly. Например, according to Black Lotus Labs, in April 2020, the botnet already included 15,000 infected devices.
Mozi spread on its own: it infected one device and deployed a module on it that used the infected system to search for other devices connected to the Internet, and then used exploits against them and brute-force Telnet passwords. This worm module used more than ten exploits, which was enough for the rapid development of the botnet.
Mozi also used the DHT protocol to create a P2P network between all infected devices, allowing bots to send updates and work instructions directly to each other, allowing it to operate without a central control server.
Netlab Qihoo 360 reports that at its peak, the botnet infected up to 160,000 systems a day and in total managed to compromise more than 1,500,000 different devices, more than half of which (830,000) were located in China.
Mozi is now predicted a slow “death”, although the use of DHT and P2P makes this process and cleaning all infected devices a daunting task.
The Record quoted Radware specialist Daniel Smith as saying that this is not just the case with Mozi. Например, after the Hoaxcall botnet was disabled at the beginning of this year, experts faced a similar technical problem: bots continued to infect new devices for several months after the operation, acting on their own.
Let me remind you that I also wrote that Chinese hackers cover their tracks and remove malware a few days before detection.