The Mozi botnet, known for exploiting vulnerabilities in a large number of Internet of Things (IoT) devices, has been experienced a sudden decline in activity in August 2023.
According to an advisory published by ESET security researchers today, the abrupt reduction in botnet activity was first detected in India on August 8 and later in China on August 16, marking a significant disruption to its operations.
The company’s investigation unveiled a hidden kill switch on September 27 2023, which was responsible for the botnet’s decreased functionality. The control payload was identified inside a user datagram protocol (UDP) message, which lacked the traditional encapsulation of BitTorrent’s distributed sloppy hash table (BT-DHT) protocol.
The kill switch demonstrated several functions, including disabling the parent process, disabling system services, replacing the original Mozi malware, executing configuration commands, disabling access to various ports and establishing the same foothold as the replaced original Mozi file.
ESET identified two versions of the control payload, with the most recent version functioning as a container for the first with minor modifications. Even though the Mozi bots experienced a significant reduction in their capabilities, they still exhibited persistence, suggesting a deliberate and carefully executed takedown. The analysis revealed a substantial overlap between the botnet’s source code and the recently used binaries, including using the correct private keys to sign the control payload.
This discovery has led to two potential hypotheses regarding the origin of the takedown: it could have been executed by the Mozi botnet creators or, alternatively, by Chinese law enforcement, compelling the cooperation of the creators. The sequential targeting of bots in India and China suggests a strategic and coordinated effort.
“The demise of one of the most prolific IoT botnets is a fascinating case of cyber forensics, providing us with intriguing technical information on how such botnets in the wild are created, operated and dismantled,” ESET wrote in its advisory. “We are continuing to investigate this case and will publish a detailed analysis in the coming months. But for now, the question remains: Who killed Mozi?”