The cybersecurity researchers have developed theories regarding who might have taken down the Mozi botnet: it could have been China, India, or even the botnet’s creators themselves.
Earlier today on November 1st, 2023, ESET researchers observed a deliberate takedown of the infamous Mozi botnet, one of the largest and most active IoT (Internet of Things) botnets in the world. The takedown was likely carried out by the original Mozi botnet creator, Indian or Chinese law enforcement, perhaps enlisting or forcing the cooperation of the botnet operators.
The Mozi botnet was used to launch a variety of attacks, including distributed denial-of-service (DDoS) attacks, web scraping attacks, and click fraud attacks. It was also used to steal data from infected devices, including usernames, passwords, and credit card numbers.
Mozi botnet, known for exploiting vulnerabilities in hundreds of thousands of IoT devices, experienced an unexpected nosedive in activity during August 2023. This unforeseen disappearance, first observed in India on August 8th, 2023, and a week later in China on August 16th, stripped Mozi bots of a substantial part of their functionality, leaving cybersecurity experts puzzled and intrigued.
That’s where cybersecurity researchers decided to investigate the takedown of Mozi botnet unveiling a significant breakthrough on September 27th, 2023 by detecting a kill switch within a user datagram protocol (UDP) message.
According to ESET’s report, researchers spotted a control payload lacking the usual encapsulation of BitTorrent’s distributed sloppy hash table (BT-DHT) protocol. This control payload was relayed eight times, instructing the bot to download and install an update via HTTP.
The kill switch demonstrated multiple functions, including terminating the original Mozi malware, disabling certain system services, executing device configuration commands, and establishing a similar foothold as the replaced original Mozi file.
“The demise of one of the most prolific IoT zombie botnets is a fascinating case of cyber forensics, providing us with intriguing technical information on how such botnets in the wild are created, operated, and dismantled,” says ESET researcher Ivan Bešina, who investigated the disappearance of Mozi.
Interestingly, ESET’s analysis identified two versions of the control payload, with the latest one functioning as an envelope containing the first, incorporating minor modifications. Notably, the latest version contained an added function to ping a remote server, possibly for statistical purposes.
While the reduction in functionality was drastic, the Mozi bots retained persistence, suggesting a calculated takedown. The investigation revealed a strong connection between the botnet’s source code and the used binaries, along with the use of correct private keys to sign the control payload.
So who killed the Mozi botnet?
It is difficult to say for sure. However, there are a few possible explanations. One possibility is that the original Mozi botnet creator took down the botnet. The creator may have done this for a variety of reasons, such as wanting to distance themselves from the botnet’s criminal activities, the botnet was not profitable anymore or wanting to sell the botnet to another party.
Another possibility is that Chinese law enforcement took down the botnet. China has been cracking down on cybercrime in recent years, and the takedown of the Mozi botnet could be seen as part of this effort.
Regardless of who took down the Mozi botnet, the takedown is a positive development for the cybersecurity community. It is a sign that even the largest and most sophisticated botnets can be taken down, and it is a reminder that cybercriminals are not invincible.
“There are two potential instigators for this takedown: the original Mozi botnet creator or Chinese law enforcement, perhaps enlisting or forcing the cooperation of the original actor or actors. The sequential targeting of India and then China suggests that the takedown was carried out deliberately, with one country targeted first and the other a week later,” explains Bešina.
- World’s Most ‘Resilient Malware’ Botnet Emotet Taken Down
- Qakbot Botnet Disrupted, Infected 700,000 Computers Globally
- A Syntax Error Led to Crashing of KmsdBot Cryptomining Botnet
- Cyber Security companies dismantle Trickbot ransomware botnet
- Russian Rsocks Botnet Powered by Millions of IoT Devices Dismantled