Mozi is a botnet that is specifically targeting the Internet of Things. Recently a group of researchers from IBM X-Force alarmed people, that apart from taking over Netgear, Huawei Routers and D-Links Mozi now has taken over 90 percent of traffics which are flowing from and to the devices connected in the Internet of Things. When looking at the records, it comes to known that the attack on IoT from October to this June is 400 percent higher than the cumulative attacks of the last two years. The potential use of the device by the attackers is in on peak, they are mostly using the Mirai Botnet. The notable and possible reasons behind these IoT attacks may be the increasing demand for IoT and also the poor protocol configurations. The remote access of corporate businesses and other people created a way for attackers, in this pandemic season.
In simple words, we can explain Mozi as a botnet that acts as a peer to peer network malware. As people are slowly shifting towards work from home and other remote access options, the demand for P2P based botnets is on the rise. Corporates are adapting themselves to the new normal of remote access and at the same time, attackers are also adapting themselves and taking advantage of the new normal.
Evolution of Mozi Botnet
The actual entrances of Mozi came into the scene in late 2019, at first, it targeted only the routers and DVRs. Research teams around the world found out about the presence of Mozi Botnet in late 2019. The Botnet looked so much like a Mirai Variant, which contains the snippets from the Gafgyt and IoT Reaper. They can be used for many reasons, which include DDoS attacks, data exfiltration, spam campaigns, and payload execution.
Mozi’s DHT Attack Routine
According to IBM, in Mozi there is a downloadable command and executable file called mozi.a present in all the vulnerable systems. All the files get executed on the microprocessor, when complete access is gained by the attacker; the firmware levels can be changed. On specific attacks, additional malware can be downloaded into the attacked systems. IBM also explains that a customized DHT protocol is used to develop the P2P network. The infrastructure is very similar as it is sourced from China.
P2P Machines in Scene
P2P machines are becoming more and more common. At the beginning of this year, FritzFrog Botnet made its debut appearance, it propagated through the credentials using the brute-forcing algorithm technique in government offices, educational institutions, medical centers, telecom companies, and also in the central banks.
Though many research works are going on, IBM finds out that there are many attacks still going on. An impeccable effort is taken by research teams to prevent the Mozi Botnets from attacking the IoT infrastructures around the world.