Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mozi Botnet #38

Closed
corumir opened this issue Jul 29, 2024 · 3 comments
Closed

Mozi Botnet #38

corumir opened this issue Jul 29, 2024 · 3 comments

Comments

@corumir
Copy link

corumir commented Jul 29, 2024

Finds the Mozi botnet.

http.html_hash:-1245370368
https://www.shodan.io/search?query=http.html_hash%3A-1245370368
@montysecurity
Copy link
Owner

montysecurity commented Aug 4, 2024
edited
Loading

Do you have a reference or evidence to show this is detecting the Mozi botnet? Just would like to validate before I add it

@corumir
Copy link
Author

corumir commented Aug 5, 2024

This comes from understanding the Mozi fingerprint for an HTTP server that hosts the Mozi payload.

HTTP/1.1 200 OK
Server: nginx
Content-Length: 135784
Connection: close
Content-Type: application/zip

More details: https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi

this is the latest 2024 fingerprint.

Here is the 2022 example I could find in open source: https://www.elastic.co/security-labs/collecting-and-operationalizing-threat-data-from-the-mozi-botnet

Like this example points out, there with always be:

  1. Ngnix server
  2. No HTTP Date Header
  3. Specific file size ~133KB

@montysecurity
Copy link
Owner

Added. Thanks! 16db633

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@corumir @montysecurity