Mozi Botnet Accounts for Most Traffic in Q1 2020, New Research Shows

Security researchers found that a relatively new botnet named Mozi has picked up some steam, and its’ currently spiking in IoT usage. It’s using one of the most common techniques to compromise devices, command injection.

Many of the current IoT botnets are Mirai-based and share code with the already famous malware. Mozi falls into the same category as it integrates code from Mirai and some of its other variants, but it also has its own code.

The main reason why Mozi is making a splash and why it seems to dominate this space is the fact that it largely uses command injection techniques, which is one of the most common attack vectors. The constant increase in the number of IoT devices, combined with the pandemic that forced a lot of people to work from home, created a perfect storm for Mozi.

“This startling takeover was accompanied by a huge increase in overall IoT botnet activity, suggesting Mozi did not remove competitors from the market,” says the IBM team. “Rather, it flooded the market, dwarfing other variants’ activity. Overall, combined IoT attack instances from October 2019, when attacks began to increase, through June 2020 notably is 400% higher than the combined IoT attack instances for the previous two years.”

Mozi is active since 2019, and from October 2019 to June 2020, the botnet accounted for 90% of observed traffic, dwarfing all other similar malware. This is a peer-to-peer (P2P) botnet that spreads to IoT devices by using known exploits and weak Telnet passwords, both of which indicate routers as is the main target.

All of these botnets are used in distributed denial-of-service (DDoS) attacks or send spam. While routers seem to be preferred targets, commercial, industrial, and military IoT are also possible victims.