Mozi malware botnet goes dark after mysterious use of kill-switch

Trending 1 month ago

Botnet Kill Switch

Mozi malware botnet activity faded distant successful August aft a mysterious chartless statement sent a payload connected September 27, 2023, that triggered a termination move to deactivate each bots.

Mozi is simply a well-known DDoS (distributed denial of service) malware botnet that emerged successful 2019, chiefly targeting IoT devices specified arsenic routers, integer video recorders, and different internet-connected gadgets.

The malware leveraged known vulnerabilities aliases anemic default passwords to discuss devices and make them portion of its decentralized peer-to-peer network, wherever they pass utilizing BitTorrent's DHT (distributed hash table) protocol.

Mozi mysteriously killed 

Today, ESET reported that its telemetry information showed a crisp driblet successful Mozi activity connected August 8, 2023, starting pinch a halt to each operations successful India.

This was followed by a akin abrupt termination of activities successful China, wherever nan botnet originates, connected August 16, 2023.

Observed Mozi activityObserved Mozi activity (ESET)

Finally, connected September 27, 2023, a UDP connection was sent to each Mozi bots 8 times instructing them to download an update via HTTP, which caused nan following:

  • Termination of nan Mozi malware process,
  • Disabling definite strategy services (sshd and dropbear),
  • Replacement of nan Mozi file,
  • Execution of instrumentality configuration commands,
  • Blocking entree to various ports,
  • Establish a foothold for nan caller file.

The truth that whoever pressed nan termination move opted to support persistence for nan caller payload, which tin besides ping a distant server to assistance successful tracking, implies a controlled takedown.

ESET's codification study showed beardown similarities betwixt nan original Mozi codification and nan binaries utilized successful nan takedown, which featured nan correct backstage keys for signing nan payload.

Original Mozi codification (left) and termination move payload (right)Original Mozi codification (left) and termination move payload (right) (ESET)

This hints astatine nan engagement of either nan original botnet creators and/or Chinese rule enforcement successful nan takedown, but for now, this remains unanswered.

Despite nan bully news of 1 of nan astir prolific botnets going offline, location are, unfortunately, galore much DDoS malware botnets scanning nan web regular for susceptible IoTs.

Therefore, users should spot their devices utilizing nan latest firmware version, usage beardown passwords, and isolate them from captious networks.