Somebody Just Killed the Mozi Botnet

/in


The Mozi botnet is now a shell of its former self, thanks to a de facto kill switch triggered in August.

Active since September 2019, Mozi is a peer-to-peer (P2P) botnet that enables distributed denial-of-service (DDoS) attacks, as well as data exfiltration and payload execution. It infects Internet of Things (IoT) devices — using network gateways, for example, as an inroad for more powerful compromises — and its source code has roots in other IoT-based botnets, including Mirai, Gafgyt, and IoT Reaper.

Once the most prolific botnet in the world, Mozi has now all but shut down. In a blog post published Nov. 1, researchers from ESET speculated that the creators, or possibly the Chinese government, were responsible for distributing an update which killed its ability to connect to the outside world, leaving only a small fraction of working bots standing.

“The new kill switch update is just a ‘stripped down’ version of the original Mozi,” explains Ivan Bešina, senior malware researcher for ESET. “It has the same persistence mechanism, and it sets up the firewall in the same way as Mozi, but it lacks all of its networking capabilities,” rendering it null to future use.

Mozi’s Disappearing Act

Even in its earliest days, Mozi was a force to be reckoned with. According to IBM’s X-Force, from late 2019 through mid-2020, it accounted for 90% of global botnet traffic, causing a massive spike in botnet traffic overall. As recently as 2023, ESET tracked over 200,000 unique Mozi bots, though there could have been many more.

Now it’s gone, even more quickly than it came.

On Aug. 8, instances of Mozi within the country of India fell off a cliff. On Aug. 16, the same thing occurred in China. Now the botnet all but doesn’t exist in either country, and global instances are down to a small fraction of what they once were.

Mozi configs globally, in India, and in China
Source: ESET

On Sept. 27, researchers from ESET discovered the cause: a configuration file inside a user datagram protocol (UDP) message, sent to Mozi bots, with instructions to download and install an update.

The update was, in effect, a kill switch.

It replaced the malware with a copy of itself, and triggered a few other actions on host devices: disabling certain services, access to…

Source…