ESET Research recently uncovered a significant development in the cybersecurity landscape: the discovery of a kill switch responsible for bringing down the infamous Mozi botnet. This botnet, known for its exploitation of vulnerabilities in IoT devices, experienced a sudden and unexpected decline in activity in August 2023, marking a major achievement for cyberforensics.

The first signs of Mozi’s decline were observed in India on August 8th, 2023, followed by a similar decline in China on August 16th. This unexpected disappearance stripped Mozi bots of a significant portion of their functionality, raising questions about the cause of this drastic reduction in activity.

After a thorough investigation, ESET Research identified a control payload within a user datagram protocol (UDP) message that lacked the typical encapsulation of BitTorrent’s distributed sloppy hash table (BT-DHT) protocol. This control payload was sent multiple times, instructing the bot to download and install an update of itself via HTTP. This kill switch demonstrated several functionalities, including killing the parent process, disabling system services, replacing the original Mozi file, executing router/device configuration commands, and disabling access to various ports.

The analysis of the kill switch revealed a strong connection between the botnet’s original source code and recently used binaries, as well as the use of the correct private keys to sign the control payload. This suggested deliberate and calculated takedown, leading to the hypothesis that the originators of this takedown could be the Mozi botnet creators themselves or Chinese law enforcement coercing the cooperation of the creators.

The sequential targeting of bots in India and China indicated a deliberate approach to the takedown, with one country being targeted first and the other a week later. This strategic and deliberate approach pointed to a carefully orchestrated effort to dismantle the botnet.

The demise of the Mozi botnet provided valuable insights into the technical aspects of botnet creation, operation, and dismantling, presenting an intriguing case of cyberforensics. ESET Research continues to investigate this case, aiming to publish a detailed analysis in the coming months to shed light on the mysterious takedown of Mozi.

As the cybersecurity community ponders the question of who killed Mozi, ESET Research remains dedicated to providing cutting-edge research and insights into the evolving cyber threat landscape. With continued investigations into cases like the Mozi botnet takedown, ESET Research aims to contribute to the advancement of cybersecurity practices and technologies.

For any inquiries about ESET Research’s findings and publications, interested parties are encouraged to contact the team at threatintel@eset.com. Additionally, ESET Research offers private APT intelligence reports and data feeds, providing a valuable resource for organizations looking to enhance their cybersecurity capabilities. For inquiries about this service, readers can visit the ESET Threat Intelligence page for more information.

Source link