At the end of September 2023, “Mozi” suddenly came to an end. Until the end of September 2023, the IoT botnet attacked vulnerabilities in hundreds of thousands of IoT devices every year. Chinese law enforcement may be responsible for the shutdown.
The Internet of Things botnet Mozi exploited vulnerabilities in hundreds of thousands of IoT devices such as Internet routers or digital video recorders every year until the end of September 2023 - including in Germany. Mozi could use it to launch DDoS (Distributed Denial of Service) attacks, exfiltrate data or execute arbitrary commands. ESET researchers were able to prove that a so-called “kill switch” heralded the end of Mozi and that Chinese law enforcement authorities may have been behind the shutdown.
Mozi shutdown became apparent early on
Even before Mozi was shut down, ESET observed an unexpected decline in botnet activity via the User Datagram Protocol (UDP). This started in India and continued seven days later in China. A few weeks later, the ESET team led by Ivan Bešina identified and analyzed the kill switch that sealed the end of Mozi. In IT, the emergency stop switch is used to switch off or shut down a device or program in an emergency.
“The downfall of one of the most prolific IoT botnets is a fascinating case for cyber forensics. This provides us with interesting technical insights into how such botnets are developed, operated and destroyed in the wild,” says ESET researcher Ivan Bešina.
Via update to the end
The Mozi bots lost their functionality due to a manipulated update. On September 27, 2023, ESET researchers discovered a configuration file in a UDP message that was missing typical content. It instead acted as a kill switch. This stopped the original Mozi malware, disabled certain system services, replaced the original Mozi file with itself, ran certain router/device configuration commands, and disabled access to various ports. Despite the drastic reduction in functionality, the Mozi bots persisted, indicating a planned shutdown. ESET's analysis of the kill switch found a strong connection between the botnet's original source code and the final configuration file, suggesting a shutdown by the malware's creators - of their own accord or under duress.
Perpetrator not clearly identified
“There are two possible causes for this breakdown. On the one hand, this would be the original creator of the Mozi botnet itself. On the other hand, evidence suggests that Chinese law enforcement authorities may have forced the original actor or actors to cooperate. The fact that India and then China were targeted may show that the disruption was deliberate,” explains Bešina.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.