Kill Switch Behind IoT Botnet Mozi’s Demise

News Desk -

Share

ESET Research recently witnessed a surprising turn of events as one of the most notorious Internet of Things (IoT) botnets, known as Mozi, unexpectedly ceased its operations. Mozi was infamous for its exploitation of vulnerabilities in hundreds of thousands of IoT devices annually. The decline in activity was initially detected in India, followed by China a week later, all stemming from an update that rendered the Mozi bots non-functional. Several weeks after these developments, ESET researchers managed to uncover and analyze the kill switch responsible for the demise of Mozi.

Ivan Bešina, an ESET researcher who delved into Mozi’s disappearance, noted, “The demise of one of the most prolific IoT botnets is a captivating case of cyber forensics, shedding light on the intricate technical aspects of how such botnets are established, operated, and ultimately dismantled.”

On September 27, 2023, ESET researchers identified an unusual control payload (configuration file) within a UDP message, devoid of its typical content. This new payload served as the kill switch that brought down Mozi. The kill switch incapacitated the parent process—the original Mozi malware—disrupted certain system services, replaced the original Mozi file, executed specific router/device configuration commands, and blocked access to various ports.

Despite the substantial reduction in functionality, the Mozi bots continued to persist, indicating a deliberate and methodical takedown operation. ESET’s analysis of the kill switch revealed a strong link between the botnet’s original source code and the control payloads recently employed, all properly signed with the correct private keys.

Bešina explained, “Two potential entities could be behind this takedown: the original creator of the Mozi botnet or Chinese law enforcement, possibly leveraging the cooperation of the original actor or actors. The sequential targeting of India and then China suggests a deliberate takedown strategy, with one country being the initial target and the other following a week later.”