Mozi Botnet: How An AI-Powered Solution Can Protect Industrial Operations


The Mozi botnet, a peer-to-peer (P2P) malware, has haunted Internet of Things (IoT) devices since first being identified in late 2019. And from October 2019 to June 2020, the botnet accounted for 90% of observed IIoT network traffic. In simpler terms, Mozi dwarfs activity from other similar malware, and is a painful reminder of the Mirai botnet, which unleashed sweeping attacks around the globe in 2016.

A very real threat, the Mozi botnet uses command injection to compromise devices and has four major capabilities. It can:

  • Conduct distributed denial-of-service attacks (HTTP, TCP, UDP)
  • Carry out command execution attacks
  • Download malicious payload from specified URLs and execute it
  • Gather bot information

Though similar to the Mirai attack, the Mozi botnet appears to be sourced from China. It is also slightly different from Mirai in that it targets reduced instruction set computer (RISC)-based CPUs (MIPS/ARM) specifically, which have replaced x86 based IoT devices. Diving into the virus specifically it is pretty standard:

  • UPX packed to reduce payload size
  • Kills other processes to ensure the 2 ports it needs are open (modifies IP tables to help ensure it is the only botnet on the device)
  • Uses Telnet coupled with a small dictionary of passwords commonly used in IoT devices

According to Juniper Research, the total number of IoT connections will reach 83 billion by 2024, and the industrial sector is expected to make up more than 70% of those connections. As the botnet continues to grow, players in the industrial space need to take extra measures to protect their most critical IIoT assets. Certain cyber defense measures such as creating strong passwords or reinstalling operating systems and applications simply aren’t proactive and future-proof enough to prevent a devastating attack. 

However, industrial companies can leverage a scalable, artificial intelligence (AI)-powered solution to protect their assets and their operations. Our DeepArmor® Industrial cybersecurity product employs advanced software to protect operational technology (OT) environments from advanced cyber attacks such as the Mozi botnet. 

If you had the DeepArmor Industrial product installed, you could effectively catch the initial payload before any command-and-control attacks occur and compromise your entire OT network. Even better, the DeepArmor Industrial product could quarantine the Mozi threat before it has a chance to execute, preventing the threat from the get-go. Our product’s ELF model catches the initial attack with 99.87% confidence. This will enable your operations to remain up and running and avoid significant production or safety costs.

Latest blogs

Abstract depiction of our Generative AI Platform created by DALL-E
Campbell LeFlore

What’s Inside our Generative AI Platform?

Perfected over ten years of real-world engagements serving many of the world’s largest brands in energy, manufacturing, transportation, utilities, financial services, and other industries, SparkCognition’s

Read More
Campbell LeFlore

The Top Challenges HSE Managers Face Today

HSE managers are the behind-the-scenes heroes enabling today’s high-throughput industrial environments to operate at peak performance. Their determined efforts ensure the well-being and protection of

Read More
SparkCognition is committed to compliance with applicable privacy laws, including GDPR, and we provide related assurances in our contractual commitments. Click here to review our Cookie & Privacy Policy.