Mozi IoT Botnet Malware: Analysis, Detection, Removal

Mozi is a peer-to-peer (P2P) botnet that targets Internet of Things (IoT) devices, such as routers and digital video recorders (DVRs). It spreads by exploiting weak telnet passwords and known vulnerabilities. Once a device is infected, it joins the botnet and can be used to launch Distributed Denial-of-Service (DDoS) attacks, execute payloads, or steal information.

What is Mozi IoT Botnet Malware?

Mozi is a nasty piece of work derived from the source code of other IoT malware families like Mirai, Gafgyt, and IoT Reaper. It primarily functions as a P2P botnet, meaning infected devices communicate directly with each other instead of a centralized command-and-control (C2) server. This makes the botnet more resilient and harder to take down.

Its main goal is to rope in as many IoT devices as possible—think routers, webcams, and DVRs—to create a massive zombie army. This army can then be rented out or used for large-scale DDoS attacks, data exfiltration, and command execution. While it has multiple aliases, it's most commonly known simply as Mozi.

When was Mozi IoT Botnet First Discovered?

Security researchers first spotted Mozi making its rounds in late 2019. It quickly gained notoriety for its rapid growth and sophisticated P2P architecture, setting it apart from more traditional, centrally controlled botnets.

Who Created Mozi IoT Botnet?

The individuals behind Mozi are believed to be a Chinese-speaking threat actor or group. Evidence pointing to this includes the use of specific Chinese characters in the code and arrests made by Chinese law enforcement in 2021 related to the botnet's operation.

What Does Mozi IoT Botnet Target?

Mozi doesn't discriminate much when it comes to its targets. It goes after a wide range of unpatched and poorly secured IoT devices across the globe. This includes devices manufactured by Netgear, D-Link, Huawei, and many others. Its primary targets are those with weak or default Telnet credentials and unpatched vulnerabilities, making it a threat to both home users and businesses with unsecured IoT deployments.

Mozi IoT Botnet Distribution Method

Mozi is a worm that spreads aggressively. Its primary method of propagation is scanning the internet for exposed IoT devices with open Telnet ports. It then attempts to brute-force its way in using a list of common and default usernames and passwords.

In addition to brute-force attacks, Mozi also exploits a slew of known remote code execution vulnerabilities in various IoT devices. Once it gains access, it downloads and executes the malware payload, officially recruiting the device into its botnet army. The newly infected device then starts scanning for its next victim, continuing the cycle of infection.

Technical Analysis of Mozi IoT Botnet Malware

Once it infects a device, Mozi gets to work entrenching itself. It establishes persistence by copying itself to common system directories and setting up rules to ensure it runs on startup. It also blocks common remote access ports like Telnet (23) and SSH (22) to prevent other attackers—or the device's owner—from gaining access.

The malware uses a Distributed Hash Table (DHT) protocol, similar to what's used in torrents, to create its P2P network. This allows infected nodes to find each other and receive commands without a central server. This decentralized structure is a major headache for defenders because there's no single point of failure to target.

Tactics, Techniques & Procedures (TTPs)

Mozi's behavior aligns with several MITRE ATT&CK techniques, including:

T1021.004 (Remote Services: SSH): Uses SSH for lateral movement and initial access.
T1190 (Exploit Public-Facing Application): Exploits known vulnerabilities in IoT devices.
T1078 (Valid Accounts): Uses default or weak credentials to gain access.
T1562.004 (Impair Defenses: Disable or Modify System Firewall): Modifies firewall rules to maintain its foothold.
T1498 (Network Denial of Service): Executes DDoS attacks as its primary function.

Indicators of Compromise (IoCs)

Keep an eye out for these signs:

Unusual outbound traffic on UDP ports, often related to DHT activity.
Increased CPU usage on IoT devices.
Connections to known malicious IP addresses or domains associated with Mozi.
Files dropped in /tmp or other temporary directories with names like mozi.a or mozi.m.
Blocked access to standard management ports like Telnet or SSH.

How to Know if You’re Infected with Mozi IoT Botnet?

If your network is suddenly sluggish or your router's lights are blinking like crazy for no reason, you might have an issue. Infected devices often exhibit high CPU usage, abnormal network activity, and may become unresponsive. Since Mozi blocks remote access ports, being unable to log into your device's admin panel could be another red flag. Running a network monitoring tool can help you spot the unusual traffic patterns associated with the botnet.

Mozi IoT Botnet Removal Instructions

Removing Mozi can be tricky due to its persistence mechanisms. A simple reboot might temporarily stop it, but the malware will likely re-infect the device if the underlying vulnerability isn't fixed.

The most effective removal method is to perform a factory reset of the infected device. This will wipe the malware completely. After resetting, it is CRITICAL to immediately change the default password to something strong and unique. You should also check for and apply any available firmware updates from the manufacturer to patch the vulnerabilities Mozi exploits. For more complex environments, tools like the Huntress Managed EDR can help detect and remediate threats that have gained a foothold.

Is Mozi IoT Botnet Still Active?

Here’s where the story gets interesting. In late 2023, a mysterious "kill switch" was activated that effectively dismantled a large portion of the Mozi botnet. An unknown actor pushed an update that disabled the malware and shut down its operations. While the primary botnet was neutralized, some variants may still exist, and the risk of re-infection on unpatched devices remains. Think of it as mostly dormant, but not completely extinct.

Mitigation & Prevention Strategies

Don't let your toaster join a botnet. Here are some solid steps to protect your network:

Change Default Passwords: This is the easiest and most important step. If your device is still using "admin/admin," you're asking for trouble.
Patch, Patch, Patch: Keep your device firmware updated. Manufacturers release patches to fix the very vulnerabilities that malware like Mozi loves to exploit.
Disable Unused Services: If you don't need Telnet or other remote management services, turn them off.
Use a Firewall: Configure your firewall to restrict access to IoT devices from the internet.
Network Segmentation: Isolate your IoT devices on a separate network segment to prevent a compromise from spreading to your critical systems.
Continuous Monitoring: This is where a solution like Huntress shines. With 24/7 monitoring from our Security Operations Center (SOC), we can help you detect and respond to threats before they can cause real damage. Our ITDR platform provides the visibility you need to keep your environment secure.

Mozi IoT Botnet Malware FAQs

Mozi is a peer-to-peer (P2P) botnet that infects Internet of Things (IoT) devices. It spreads by exploiting weak passwords and unpatched vulnerabilities. Once infected, a device joins a decentralized network of other "zombie" devices to launch DDoS attacks, execute malicious commands, and steal data.

Mozi primarily infects systems by scanning the internet for IoT devices with exposed Telnet ports. It then uses a list of common default credentials to brute-force its way in. It also leverages known remote code execution vulnerabilities to compromise and control unpatched devices.

The main Mozi botnet was largely dismantled in late 2023 by a mysterious kill switch. However, the threat isn't completely gone. Unpatched devices remain vulnerable to re-infection from remaining variants or copycat malware, so it's essential to stay vigilant and keep systems secured.

Organizations can protect themselves by enforcing strong, unique passwords on all IoT devices and disabling default credentials. It's also critical to regularly update device firmware, disable unnecessary services like Telnet, and segment IoT devices on the network. Employing a managed detection and response solution can provide continuous monitoring to catch threats early.