The Mozi botnet, a peer-to-peer (P2P) malware, has haunted Internet of Things (IoT) devices since first being identified in late 2019. And from October 2019 to June 2020, the botnet accounted for 90% of observed IIoT network traffic. In simpler terms, Mozi dwarfs activity from other similar malware, and is a painful reminder of the Mirai botnet, which unleashed sweeping attacks around the globe in 2016.
A very real threat, the Mozi botnet uses command injection to compromise devices and has four major capabilities. It can:
- Conduct distributed denial-of-service attacks (HTTP, TCP, UDP)
- Carry out command execution attacks
- Download malicious payload from specified URLs and execute it
- Gather bot information
Though similar to the Mirai attack, the Mozi botnet appears to be sourced from China. It is also slightly different from Mirai in that it targets reduced instruction set computer (RISC)-based CPUs (MIPS/ARM) specifically, which have replaced x86 based IoT devices. Diving into the virus specifically it is pretty standard:
- UPX packed to reduce payload size
- Kills other processes to ensure the 2 ports it needs are open (modifies IP tables to help ensure it is the only botnet on the device)
- Uses Telnet coupled with a small dictionary of passwords commonly used in IoT devices
According to Juniper Research, the total number of IoT connections will reach 83 billion by 2024, and the industrial sector is expected to make up more than 70% of those connections. As the botnet continues to grow, players in the industrial space need to take extra measures to protect their most critical IIoT assets. Certain cyber defense measures such as creating strong passwords or reinstalling operating systems and applications simply aren’t proactive and future-proof enough to prevent a devastating attack.
However, industrial companies can leverage a scalable, artificial intelligence (AI)-powered solution to protect their assets and their operations. Our DeepArmor® Industrial cybersecurity product employs advanced software to protect operational technology (OT) environments from advanced cyber attacks such as the Mozi botnet.
If you had the DeepArmor Industrial product installed, you could effectively catch the initial payload before any command-and-control attacks occur and compromise your entire OT network. Even better, the DeepArmor Industrial product could quarantine the Mozi threat before it has a chance to execute, preventing the threat from the get-go. Our product’s ELF model catches the initial attack with 99.87% confidence. This will enable your operations to remain up and running and avoid significant production or safety costs.