
The end of the Mozi botnet: Who shut it down?
by Tina Siering

The end of the Mozi botnet: Who shut it down?
The Mozi malware first appeared in 2019 and managed to infect more than 1.5 million IoT devices worldwide in just a few years. The malware specialises in IoT end devices and DSL routers and is designed to create large-scale botnets, which were subsequently used for DDoS attacks, exfiltrating data or executing arbitrary commands, among other things. The geographical focus of Mozi is in China, although numerous infections have also been observed by security researchers in Germany. The Mozi botnet was suddenly shut down at the end of September 2023. Chinese law enforcement authorities may be behind the end of Mozi.
4 years of the Mozi botnet and the consequences
At the end of 2019, security experts from IMB X-Force first became aware
of the Mozi malware. The malware is largely similar in its code to another malware called Mirai, so it is not a spectacular new development on the malware market.
What was striking about Mozi, however, was the speed with which the malware was able to infect IoT devices. Mozi displaced its cybercriminal "competitors" with a flood of infections - between October 2019 and June 2020, Mozi was responsible for almost 90% of the malicious IoT network traffic monitored by security teams. Mozi is - or rather was - specialised in connecting DSL routers and IoT devices into a peer-to-peer network. This was then exploited by the operators of the malware for large-scale DDoS attacks, data espionage or the execution of commands in compromised networks.
The perfidious thing is that while traditional IT systems and networks in companies, organisations and even private households are now largely protected against cyber attacks, protective measures for Internet-enabled end devices - such as the aforementioned DSL routers, smart home devices connected to the Internet or even production machines - can all too often still be described as rudimentary at best. The authors of the malware were well aware of this global vulnerability and managed to exploit hundreds of thousands of vulnerabilities in IoT devices year after year. Official sources do not reveal who exactly is responsible for what is probably the most prolific botnet of recent years. However, security researchers suspect that a Chinese cybercriminal collective is behind Mozi due to the geographical focus of the malware's distribution.
August 2023: The beginning of the end for Mozi
Cybercriminal activities are closely monitored by numerous security teams worldwide. This includes Mozi, the worm of unknown origin notorious for its high level of activity. In August, security tools recorded a sudden, completely unexpected drop in activity. On 8 August 2023, Mozi was first shut down in India, then on 16 August 2023 in China as well. This strict geographical separation drew the attention of security experts even more - because a planned, organised shutdown of the malicious code can be deduced here.
September 2023: Shutdown by kill switch
The suspected planned shutdown of the Mozi botnets in China and India led to further investigations. ESET security teams were able to detect the malware's configuration file in a UDP message in September 2023. This configuration file lacked the otherwise typical encapsulation of the BT-DHT protocol. The configuration file, also known as a control payload, was traceably sent to the bot exactly eight times by the actors behind Mozi. Each time, the file instructed the bot to download an update of itself via HTTP. The bot was thus deprived of its most important functions. Among other things, the commands led to the termination of the parent Mozi malware, the deactivation of system services, the termination of access to various ports of the infected end devices and the setting up of the same persistence as the replaced, original Mozi file. In the course of their investigations, the security experts discovered two versions of the configuration file. The newer version is a kind of packaging that contains the original version with minor changes. The interesting thing here is the added version, which can be used to ping a remote server. Security experts suspect that this is being used for statistical purposes.
The configuration file clearly serves as a planned kill switch that terminates the functionality of the Mozi botnet - and at the same time maintains persistence. For security experts, this makes it clear that the botnet was calculated and deliberately shut down.
Who is responsible for the end of Mozi?
After thoroughly analysing the kill switch, a close link between the original source code and a correct private signature key for the control payload was discovered. This detail allows a hypothetical conclusion to be drawn - namely that there are two possible actors who were responsible for the demise of Mozi. Firstly, the creators of Mozi - who naturally have the skills to shut down their own creation efficiently, in a controlled manner and quickly. On the other hand, Chinese law enforcement authorities could also have caused the shutdown of Mozi. It is possible that one of the creators - or an entire group - was targeted by the Chinese authorities and forced to dismantle the botnet. An intended end to the Mozi malicious code is almost certain - this can be explained by the fact that Mozi was first rendered inoperable in India and then, just a few days later, in China.
An interesting case for security researchers
A sudden, controlled and traceable shutdown of one of the most efficient and productive botnets in the IoT sector to date is not an everyday occurrence, even for experienced IT security researchers and forensic experts. The Mozi
case has attracted a great deal of attention - not only in India and China, but worldwide. The botnet impressively demonstrates how much the threat situation can move under the radar of conventional security mechanisms. IoT devices and DSL routers are at the bottom of many security concepts - a mistake, as the extremely rapid spread of Mozi has shown. Even if it is still not clear whether the authors of the malicious code have heralded the end of a malware era by their own decision or through pressure from law enforcement authorities: We can breathe a sigh of relief for the time being, at least the Mozi botnet no longer poses a threat.