The prolific Mozi botnet, known for targeting internet of things (IoT) devices, has suddenly shut down, leading to speculation it was switched off by its creators at the behest of Chinese authorities.
Mozi was first observed in 2019 and has been linked through code overlap to the Mirai botnet. In 2020 IBM X-Force researchers said malicious Mozi activity accounted for almost 90% of observed IoT network traffic.
Since then, the botnet has continued to execute thousands of infections globally each day. But in August, ESET Research noticed a sudden drop in Mozi activity.
“The change was caused by an update to Mozi bots that stripped them of their functionality,” ESET researchers said in a Nov. 1 post.
The company’s telemetry data first showed a sharp drop in Mozi activity, including a complete halt to the botnet’s operations in India, on Aug. 8. That was followed eight days later by a similar shutdown in China, where Mozi originated.
Who flicked the kill switch?
After further investigation, the researchers discovered a kill switch on Sept. 27, which they were able to analyze to determine the cause the botnet to shut down.
“We spotted the control payload (configuration file) inside a user datagram protocol (UDP) message that was missing the typical encapsulation of BitTorrent’s distributed sloppy hash table (BT-DHT) protocol,” they said in their post.
“The person behind the takedown sent the control payload eight times, each time instructing the bot to download and install an update of itself via HTTP.”
The kill switch shut down the original Mozi malware, disabled some system services, replaced the original Mozi file with itself, executed router/device configuration commands, disabled access to various ports, and established the same foothold as the original file it replaced.
“Despite the drastic reduction in functionality, Mozi bots have maintained persistence, indicating a deliberate and calculated takedown,” the researchers said.
“Our analysis of the kill switch shows a strong connection between the botnet’s original source code and recently used binaries, and also the use of the correct private keys to sign the control payload.”
One of the ESET researchers who investigated the botnet’s demise, Ivan Bešina, said the sequential shutdowns, first across the Indian network and then China a week later, further suggests a deliberate takedown exercise.
“There are two potential instigators for this takedown: the original Mozi botnet creator or Chinese law enforcement, perhaps enlisting or forcing the cooperation of the original actor or actors,” he said.
Is Mozi likely to mosey back?
While it remains to be seen whether Chinese authorities had a hand in the shutdown, it would not be the first time state actors have been involved in turning off a botnet.
In August the FBI led a global operation to take down the Qakbot botnet and untether 700,000 computers it was controlling. The operation involved rerouting Qakbot traffic through FBI-controlled servers and instigating the download onto infected machines of code that uninstalled the malware.
The Mozi situation is quite different, however, with a new version of the malware maintaining persistence in the infected machines, leaving open the possibility the botnet could be reactivated.
The Emotet botnet went into a months-long period of inactivity in 2021 before returning to near daily activity.
ESET said it would continue to investigate the Mozi shutdown and planned to publish further analysis.
“The demise of one of the most prolific IoT botnets is a fascinating case of cyber forensics, providing us with intriguing technical information on how such botnets in the wild are created, operated, and dismantled,” Bešina said.