The Mozi Botnet Demise: ESET Researchers Reveal Takedown Tactics

Cybersecurity experts from ESET have reported a deliberate dismantling of the Mozi botnet, which had infiltrated over a million Internet of Things (IoT) devices worldwide.

Uncovered by 360 Netlab in 2019, Mozi is a botnet that capitalizes on weak telnet passwords and well-documented vulnerabilities to commandeer domestic routers and DVRs. Through these compromised devices, the botnet executed distributed denial-of-service (DDoS) attacks, disseminated malware, and extorted data. Since its detection, Mozi has infected over 1.5 million devices, with at least 830,000, primarily located in China.

In August 2021, Microsoft warned that Mozi had evolved, achieving persistence on network gateways manufactured by Netgear, Huawei, and ZTE. That same month, 360 Netlab reported aiding Chinese law enforcement agencies in the arrest of Mozi’s creators.

ESET, which commenced its investigation into Mozi a month before these arrests, observed a significant decline in the botnet’s activity in August of this year.

Ivan Bešina, a senior malware researcher at ESET, commented on monitoring approximately 1,200 unique devices daily worldwide before this event. “We saw 200,000 unique devices in the first half of this year and 40,000 unique devices in July 2023. After the drop, our monitoring tool was only able to probe about 100 unique devices daily,” Bešina stated.

This decrease in activity was initially noted in India and then China, which together account for 90% of all infected devices globally, added Beshina, noting that Russia holds third place in the number of infected devices, followed by Thailand and South Korea.

The decline in activity was caused by an update to the Mozi bots, which stripped them of their functionality. ESET reports that an analysis of the update revealed a direct link between the botnet’s source code and recently used binary files, suggesting a calculated and intentional destruction.

Researchers surmise that the deactivation was likely carried out by Mozi’s creators or the Chinese law enforcement agencies, possibly coercing the botnet’s operators into collaboration.

“The biggest piece of evidence is that this kill switch update was signed with the correct private key. Without this, the infected devices would not accept and apply this update,” Beshina noted.

“As far as we know only the original Mozi operators had access to this private signing key. The only other party that could reasonably acquire this private signing key is the Chinese law enforcement agency that caught the Mozi operators in July 2021.”

Beshina noted that the analysis of the disabling updates indicated they were compiled from the same foundational source code base. “The new kill switch update is just a ‘stripped down’ version of the original Mozi,” Beshina explained.

The presumed annihilation of Mozi occurred several weeks after the FBI eradicated and dismantled the notorious Qakbot botnet, a trojan infamous for providing initial access to victims’ networks for other hackers who purchase this access to implant their malicious software.