Mozi botnet - Huge influx of infected devices - Hathway(AS17488), BSNL(AS9829)

The last week has seen a huge surge in the Mozi botnet[1] activity from compromised CPE's(routers) etc from Hathway(AS17488), BSNL(AS9829) and other networks.

Some of the affected CPE's along with mitigation outlined by Netlab 360 [2]


IMO, affected devices may not be limited to the ones outlined above.

Mitigation - Here are general steps you can take to mitigate this issue,

1. Restart the router
2. Set a strong login password
3. Disable remote access of the router (if enabled)
4. Patch your router - To check if your router has Common Vulnerabilities and Exposure(CVE), search here[3]. Irrespective, it's recommend to update the firmware of the router


[1]: New Malware Family Assembles IoT Botnet
[2]: Mozi, Another Botnet Using DHT
[3]: CVE - Search CVE List

Both my router and ont are on the list 😑 and my ISP is BSNL

Can this be the reason why upload speeds have plummeted in the last few days on Hathway DOCSIS 3.0?

@MeanMachine Let's say that your router is infected and is part of the Mozi botnet, then the answer is potentially a yes. Mozi is a P2P(similar to torrent) malware which scans Internet IP addresses for devices(routers, IoT etc) having weak credentials, telnet etc and then infects them with the payload. A detailed analysis is available on the Netlab 360 which I have shared in my first post in this thread.

In the case of infected devices, the user/consumer has no knowledge that their router is part of the botnet but at the same time, the router is initiating these scans across the Internet.