Mozi
Background
Prof. Dietrich and his group is conducting research into malware that infects IoT devices and forms IoT botnets. As part of this we developed a method to enumerate IoT devices that are likely infected with a malware referred to as Mozi.
You may have arrived at this page due to a remediation report by the Shadowserver foundation, based on data from our research endeavors.
Spreading, removal and containment
Mozi spreads via a combination of Telnet credentials (username and password), and exploits for vulnerabilities in IoT web interfaces. Since it persists on the infected device, a firmware reset or a restore from a backup are two options (depending on the specific device) which may restore to an uninfected state. However, given the number of different devices, we do not have specific instructions at this point.
To contain an infected device, block UDP traffic from the device to BitTorrent DHT bootstrap nodes using any of the following domains and IPv4 addresses, followed by a reboot of the device:
- dht.transmissionbt.com
- router.bittorrent.com
- router.utorrent.com
- bttracker.debian.org
- 212.129.33.59
- 82.221.103.244
- 130.239.18.159
- 87.98.162.88
In addition, block outgoing TCP traffic with destination ports 22, 23, 2323, 80, 81, 5555, 7574, 8080, 8443, 37215, 49152, and 52869.
Outlook
We are working on research to document the inner workings of Mozi and hope to have it publicly released by end of 2020. Further technical questions can be sent via email to mozi@internet-sicherheit.de.