Written by: Amr Alashaal, A10 Networks
Malware has been playing an important role in the expansion of botnets, automating the process of bot infection and recruitment. These botnets are then used to launch large-scale DDoS attacks. One highly prevalent malware in the DDoS world is Mozi.
Mozi is a DDoS-focused botnet that utilizes a large set of Remote Code Executions (RCEs) to leverage CVEs in IoT devices for infection. These IoT devices include readily available and commonly used DVRs and network gateways. Once infected, the botnet uses peer-to-peer connectivity to send and receive configuration updates and attack commands. Mozi was first identified in 2019 and has been evolving and increasing in size ever since. It can now persist on network devices by infiltrating the device’s file system, remaining functional even after the device has been rebooted. During the first half of 2021, Mozi topped out at over 360,000 unique systems using more than 285,000 unique source IP addresses, likely due to address translation.
In order to protect their networks and resources, organizations need to take the following steps to block systems infected by Mozi and the malicious traffic generated by them:
Never Trust, Always Verify: Incorporate the Zero Trust model and its key principles into your security strategy. Create micro-perimeters within your networks. Limit access to your resources and invest in modern, AI/ML-based solutions. Ensure visibility into not only the endpoints and network nodes, but also into users, their activities, and workflows.
Investigate Whether You are Already Infected: The initial infection of Mozi comes in the form of RCEs sent using ports 80, 8080, 8443, etc. This can make initial infections stand out, which can help in tracking them with low false positives. If your network devices suddenly start generating abnormal amounts of TCP or UDP traffic, immediately isolate suspicious devices and limit the traffic originating from them. If this is not possible, then apply global rate limiting on all traffic until you track the source.
Observe and Block Commonly Exploited Ports: Incorporate the Zero Trust Closely monitor any traffic using TCP ports 60001, 37215, 5555, 52869, 49152, both before or after a suspected infection. While these aren’t the only ports Mozi uses, they may help find the needle in the haystack. As a general good practice, monitor and block sources that send TCP SYNs to ports 23 and 2323 as most malware use Telnet to initiate IoT device infections.
Take a Closer Look at the Payloads: If your network devices are generating large amounts of traffic, look at the payloads (i.e., the HTTP POST as shown on page 13). RegEx can be used to filter these malicious traffic requests out and block them before they infect other devices.
Block BitTorrent: Since BitTorrent is one of the most common peer-to-peer networks used by Mozi for Command and Control (C2) communications, any BitTorrent traffic coming into or going out of the network should be blocked. The sheer amount of BitTorrent traffic could be a dead giveaway of infection depending on your customer type.
Ensure Your Security is up to Date: Make sure your security infrastructure is updated regularly and that your IoT devices are running the latest version of firmware with all the necessary security patches applied. Keep track of CVEs for your network devices and seek out help if there are any patches available. If fixes are not readily available, take appropriate action based on the particular CVEs.
Employ or Review DDoS Baselining and AI/ML Techniques: Using modern DDoS techniques like baselining to see anomalous behavior versus historical norms, and AI/ML techniques, for detection and zero-day attack prevention, can be a force multiplier for your security team as manual tasks can be discovered and dealt with efficiently and 24×7.