Mozi, the notorious botnet puppeteering IoT devices by the hundreds of thousands each year, suddenly went dark in August. The mysterious nosedive in activity was unanticipated. ESET researchers have discovered a kill switch to take the botnet down.
The puzzling disappearance, firstly in India and a week later in China, stripped Mozi bots of most of their functionality. ESET researchers investigating the event discovered and were able to analyze the kill switch that disabled the zombie botnet.
“The person behind the takedown sent the control payload eight times, each time instructing the bot to download and install an update of itself via HTTP,” ESET researchers write
The kill switch was the configuration file inside a user datagram protocol (UDP). It demonstrated several functionalities, such as killing the parent process, including the original Mozi malware, disabling some system services, and replacing the original Mozi file with itself. The kill switch still allowed the execution of some router or device configuration commands, disabling ports, or maintaining the same foothold as the replaced Mozi file.
“Despite the drastic reduction in functionality, Mozi bots have maintained persistence, indicating a deliberate and calculated takedown,” researchers noted.
Botnet’s original source code had similarities with the kill switch. Also, correct private keys were used to sign the control payload.
ESET’s best working hypothesis suggests two potential originators of this takedown. One version is the Mozi botnet creators themselves, and the second is Chinese law enforcement forcing the cooperation of the creators.
In 2021, the 360 Netlab team announced that the Mozi author had been arrested.
“The sequential targeting of bots in India and then in China suggests that the takedown was carried out deliberately, with one country targeted first and the other a week later,” they write.
The findings are valuable for the intriguing technical information on how such botnets are created, operated, and dismantled. But for now, the question of who killed Mozi remains.
According to Microsoft, Mozi is a peer-to-peer (P2P) botnet that uses a BitTorrent-like network to infect IoT devices such as routers. It works by exploiting weak telnet passwords and nearly a dozen unpatched IoT vulnerabilities, and it has been used to conduct distributed denial-of-service (DDoS) attacks, data exfiltration, and command or payload execution. Mozi’s evolution allowed achieving persistence on network gateways manufactured by Netgear, Huawei, and ZTE.
More from Cybernews:
Subscribe to our newsletter