IBM X-Force discovers Mozi botnet accounts for 90% of IoT traffic

Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (

Security experts from IBM X-Force have discovered that the Mozi botnet now accounts for 90 percent of traffic from IoT devices.

Mozi evolved from the source codes of infamous malware families such as Mirai, IoT Reaper, and Gafgyt. The botnet is capable of DDoS attacks, data exfiltration, and command or payload execution.

IoT devices with weak security, predominately unpatched routers and DVRs, are sought by Mozi to add to its ranks. Mozi has compromised popular routers in the past—such as those from Netgear, D-Link, and Huawei.

Rather than remove competing malware variants from the market, Mozi added to them while also dwarfing their activity. IBM found that combined IoT attacks between October 2019 and June 2020 is 400 percent higher than for the previous two years.

IoT devices are offering the perfect target for hackers. They’re proliferating rapidly – with IDC estimating there will be 41.6 billion connected IoT devices by 2025 – and the rush to beat competitors to market are leaving serious vulnerabilities.

“Mozi continues to be successful largely through the use of command-injection (CMDi) attacks, which often result from the misconfiguration of IoT devices,” says IBM.

“The continued growth of IoT usage and poor configuration protocols are the likely culprits behind this jump. This increase may have been fueled further by corporate networks being accessed remotely more often due to COVID-19.”

IBM observed Mozi compromising devices by using a ‘wget’ shell command to download a file called mozi.a which is then executed on a microprocessor. Permissions are then altered to grant the attacker full control over the system and additional malware can subsequently be downloaded for specific types of attacks.

“IoT embedded systems commonly contain a web interface and a debugging interface left over from firmware development that can be exploited,” wrote IBM in an analysis.

“Second, PHP modules built into IoT web interfaces can be exploited to give malicious actors remote-execution capability. And third, IoT interfaces often are left vulnerable when deployed because administrators fail to harden the interfaces by sanitizing expected remote input. This allows threat actors to input shell commands such as ‘wget.’”

Mozi was first documented in late 2019. The botnet’s rapid rise to account for 90 percent of all IoT device traffic in under a year shows how serious vulnerabilities remain which need to be addressed.

“As newer botnet groups, such as Mozi, ramp up operations and overall IoT activity surges, organizations using IoT devices need to be cognizant of the evolving threat,” IBM concluded.

(Photo by Alessio Ferretti on Unsplash)

Interested in hearing industry leaders discuss subjects like this? Attend the co-located 5G Expo, IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.

Tags: , , , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *