Mozi Malware Botnet Deactivated by Mysterious Kill-Switch, DDoS Threats Remain

The Mozi malware botnet, a notorious distributed denial of service (DDoS) threat that targeted IoT devices since its emergence in 2019, abruptly went dark in August, leaving cybersecurity experts and authorities puzzled. The unexpected halt in Mozi’s activities occurred after an enigmatic entity initiated a kill switch on September 27, 2023, effectively deactivating all the infected bots.

Mozi specialized in exploiting known vulnerabilities or weak default passwords to compromise a wide range of IoT devices, including routers, digital video recorders, and other internet-connected gadgets. It incorporated these devices into a decentralized peer-to-peer network, with communication facilitated through BitTorrent’s distributed hash table (DHT) protocol.

There is a significant decline in Mozi’s activity, commencing on August 8, 2023, with operations grinding to a halt in India. Subsequently, on August 16, 2023, a similar abrupt cessation of activities was observed in China, the botnet’s country of origin. The mysterious and decisive move came on September 27, 2023, when an unidentified actor sent a series of UDP messages to all Mozi bots, instructing them to download an update via HTTP.

This action resulted in a cascade of consequences, including the termination of the Mozi malware process, the disabling of specific system services (such as sshd and dropbear), replacement of the Mozi file, execution of device configuration commands, blocking access to various ports, and establishing a foothold for the new payload.

One intriguing aspect of this takedown is that the entity behind it chose to maintain persistence for the new payload, which also possessed the capability to ping a remote server for tracking purposes. This implies a well-coordinated and controlled effort to dismantle the botnet.

There is similarities between the original Mozi code and the binaries used in the takedown. Notably, the takedown binaries featured the correct private keys for signing the payload, suggesting the potential involvement of the original botnet creators and/or Chinese law enforcement. However, this aspect of the operation remains shrouded in mystery.

While the disruption of the Mozi botnet is a positive development, the threat of DDoS attacks originating from other malware botnets continues to loom large. Cybersecurity experts emphasize the importance of regular device updates and the use of strong passwords. As the cybersecurity landscape evolves, it is crucial for users to remain vigilant and proactive in securing their IoT devices and networks to protect against the ever-persistent threat of DDoS attacks.