Mozi Botnet Accounts for 90% of IoT Traffic


The botnet is infamous for taking over Netgear, D-Link, and Huawei routers.

Earlier this year, IBM X-Force learned that the Mozi botnet, a peer-to-peer (P2P) malware, now accounts for 90% of traffic flowing to and from IoT devices. IBM noticed a huge spike in Mozi’s telemetry and overall IoT botnet activity. In fact, combined IoT attack instances grew 400% from October 2019 to June 2020 than in the previous two years.

“Attackers have been leveraging these devices for some time now, most notably via the Mirai botnet,” according to IBM. “Mozi continues to be successful largely through the use of command-injection (CMDi) attacks, which often result from the misconfiguration of IoT devices. The continued growth of IoT usage and poor configuration protocols are the likely culprits behind this jump. This increase may have been fueled further by corporate networks being accessed remotely more often due to COVID-19.”

A Newer Cyber Threat

The botnet first appeared on the scene late last year, targeting Netgear, D-Link, and Huawei routers. Researchers say botnet groups use this Mirai variant — with components of Gafgyt and IoT Reaper — for DDoS attacks, spam, command-or-payload-execution, and data exfiltration.

IBM says Mozi uses CMDi to access a vulnerable device via a “wget” shell command. People use the wget command-line utility to download files from websites. However, hackers use Mozi to alter wget’s permissions and allow it to interact with and help them compromise the website. Through the command, Mozi downloads a file called “Mozi.a,” which executes itself on a microprocessor. Once hackers gain full access to the device through Mozi, they can change firmware and download even more malware.

No Target Too Large or Too Small

IBM’s analysis evaluated a variety of brands including:

  • Huawei, Eir, Netgear, and GPON Rand D-Link routers
  • Devices using Realtek SDK
  • Sepal SPBOARDs
  • MVPower DVRs
  • Multiple CCTV vendors

The analysis learned that Mozi, whose infrastructure is primarily located in China, can also brute-force Telnet credentials.

Protecting Enterprise IoT Devices

“As newer botnet groups, such as Mozi, ramp up operations and overall IoT activity surges, organizations using IoT devices need to be cognizant of the evolving threat,” the firm concluded. “IBM is increasingly seeing enterprise IoT devices under fire from attackers. Command injection remains the primary infection vector of choice for threat actors, reiterating how important it is to change default device settings and use effective penetration testing to find and fix gaps in the armor.”

Sue Walsh

About Sue Walsh

Sue Walsh is News Writer for RTInsights, and a freelance writer and social media manager living in New York City. Her specialties include tech, security and e-commerce. You can follow her on Twitter at @girlfridaygeek.

Leave a Reply

Your email address will not be published. Required fields are marked *