Go to listing page

Authors Detained but Mozi Botnet will Continue to Lurk, Here’s Why

Authors Detained but Mozi Botnet will Continue to Lurk, Here’s Why
Last week, it was revealed that the authors of the Mozi botnet were arrested by law enforcement agencies in June. However, we also came across the new variant of Mozi plaguing network gateways of several vendors including Netgear, ZTE, and Huawei, which means the threat has some invincible features. Findings from a new report reveal why Mozi, which accounted for 1.55 million infected nodes, will continue to lurk.

What has been discovered

Mozi uses a peer-to-peer (P2P) network structure. According to a recent report by Netlab, it is a major factor that helps the malware propagate even when some of its nodes go down.
  • The report suggests that Mozi comprises various nodes—SK, FTP, SNS, and SSH—driven by configuration files. The support for such a wide variety of protocols allows it to propagate across a larger number of devices.
  • Mozi_ftp is a pyinstaller-packaged mining trojan that spreads via FTP brute-forcing weak passwords. Another sample of crypto mining trojan, dubbed Mozi_ssh, was uncovered, with a worm-like behavior.
  • For both the trojan, authors have used DHT+Config model as a basic module to design different special tag commands for various nodes. This leads to conveniently developing the programs needed for new functional nodes for the botnet.

This convenience of adding new functional nodes, as well as the P2P-based architecture with support for popular protocols such as FTP and SSH makes it possible for Mozi to expand rapidly.

Additional insights

Besides, researchers also disclosed details about another Mozi bot sample that was identified on January 07, 2020, and was called version number v2s.
  • The v2s samples have several additional features and enhancements as compared to the earlier version. The v2s version mostly targets ARM and MIPS CPU architectures.
  • This version added external network address acquisition capabilities, as well as started using UPnP port mapping to ensure normal access to the service.
  • These enhancements help have a clear separation of control nodes, as well as improves the overall efficiency of this botnet.

Ending notes

Most of the features and capabilities of Mozi depict the tales of its persistence and scalability. Though the operators of the Mozi are arrested, and the Mozi samples may not be getting any updates anytime soon, still this threat may be expected to hover as threats, compromising more IoT devices.

Cyware Publisher

Publisher

Cyware