montysecurity
commented
4 months ago Do you have a reference or evidence to show this is detecting the Mozi botnet? Just would like to validate before I add it
Open corumir opened 4 months ago
montysecurity
commented
4 months ago Do you have a reference or evidence to show this is detecting the Mozi botnet? Just would like to validate before I add it
corumir
commented
4 months ago This comes from understanding the Mozi fingerprint for an HTTP server that hosts the Mozi payload.
HTTP/1.1 200 OK Server: nginx Content-Length: 135784 Connection: close Content-Type: application/zip
More details: https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi
this is the latest 2024 fingerprint.
Here is the 2022 example I could find in open source: https://www.elastic.co/security-labs/collecting-and-operationalizing-threat-data-from-the-mozi-botnet
Like this example points out, there with always be:
1) Ngnix server 2) No HTTP Date Header 3) Specific file size ~133KB
Finds the Mozi botnet.
http.html_hash:-1245370368 https://www.shodan.io/search?query=http.html_hash%3A-1245370368