The Discovery and Evolution of the Mozi Botnet

The Mozi botnet is a sophisticated and resilient P2P botnet that has implemented the Distributed Hash Table (DHT) protocol, a system designed for mapping keys to values across a distributed network. This implementation ensures a high degree of fault-tolerance and reliability, making Mozi particularly challenging to disrupt it further uses ECDSA384 and the xor algorithm to ensure the integrity and security of its components and P2P network. The sample spreads via Telnet with weak passwords and some known exploits (see the list below). In terms of functions, the execution of the instructions of each node in the Mozi botnet is driven by a Payload called Config issued by the Botnet Master.

The main instructions include:

1. DDoS attack

2. Collecting Bot Information

3. Execute the payload of the specified URL

4. Update the sample from the specified URL

5. Execute system or custom commands

Mozi primarily targets Netgear, D-Link, and Huawei routers, exploiting vulnerabilities and misconfigurations within these devices. Propagation of the botnet is facilitated through malicious sample files, notably named Mozi.m and Mozi.a. These files are instrumental in spreading the botnet across a vast network of vulnerable IoT devices.

From October 2018 through 2019 June, Mozi has been responsible for a dramatic spike in IoT botnet activity, with a staggering 400 percent increase compared to previous periods. This surge highlights the significant threat posed by Mozi, as it leverages command-injection (CMDi) attacks to infiltrate and control compromised IoT devices. The botnet's rapid growth and extensive reach underscore the critical need for robust cybersecurity measures to protect against such advanced threats.

Initial Discovery

The Mozi botnet was first discovered in late 2019 by cybersecurity researchers. It quickly gained attention due to its unique architecture and the specific focus on Internet of Things (IoT) devices. Unlike traditional botnets that rely on centralized command-and-control (C&C) servers, Mozi employs a peer-to-peer (P2P) structure, making it more resilient and harder to dismantle.

Key Sightings and Evolution

Late 2019:

• Discovery: The initial detection of Mozi occurred, highlighting its ability to exploit known vulnerabilities in IoT devices. Researchers noted its P2P communication model, which allowed compromised devices to communicate directly, enhancing its robustness against takedown efforts.

Early 2020:

• Rapid Expansion: Mozi began to expand rapidly, infecting thousands of devices globally. It leveraged weak default credentials and unpatched vulnerabilities in various IoT devices, including routers and digital video recorders (DVRs).

Mid 2020:

• Increased Activity: The botnet's activity spiked, with a notable increase in Distributed Denial of Service (DDoS) attacks targeting a variety of sectors. The decentralized nature of Mozi made these attacks more difficult to mitigate.

Late 2020:

• New Capabilities: Researchers observed that Mozi was evolving, incorporating new capabilities such as data exfiltration and command execution on compromised devices. This evolution signified a shift from merely using infected devices for DDoS attacks to more complex and varied malicious activities.

2021:

• Continued Threat: Mozi continued to pose a significant threat throughout 2021, with periodic spikes in activity. The botnet remained a challenge for cybersecurity professionals due to its adaptive tactics and the continuous discovery of vulnerable IoT devices.

2022 and Beyond:

• Ongoing Monitoring: Cybersecurity firms and researchers have continued to monitor Mozi's activity. The botnet's operators periodically update its capabilities, maintaining its relevance and threat level in the cybersecurity landscape. Reports indicate that Mozi remains active, with occasional flare-ups in specific regions or against particular targets.

Conclusion

The Mozi botnet's discovery in late 2019 marked the beginning of a persistent and evolving threat. Its peer-to-peer architecture and focus on IoT devices have made it a formidable adversary. Over the years, Mozi has adapted and expanded its capabilities, requiring continuous vigilance and adaptive defense strategies from cybersecurity professionals to mitigate its impact.