A significant blow has been delivered to the notorious Mozi botnet, according to security researchers. Mozi, which had infiltrated over a million Internet of Things (IoT) devices worldwide, was observed undergoing a “deliberate and calculated takedown.” This development marks a significant victory for cybersecurity efforts and could help bolster IoT security moving forward.
Key Takeaway
- The notorious Mozi botnet, which targeted IoT devices worldwide, has been observed undergoing a “deliberate and calculated takedown”.
- Evidence suggests that the takedown was likely carried out by the original botnet creator or Chinese law enforcement.
- This victory highlights the importance of proactive cybersecurity measures to tackle IoT threats and protect vulnerable devices.
Mozi Botnet: An IoT Threat
Mozi is a peer-to-peer IoT botnet that gained notoriety for exploiting weak telnet passwords and known exploits to hijack home routers and digital video recorders. Since its discovery in 2019, Mozi has infected more than 1.5 million devices. The majority of these devices, around 830,000, are believed to have originated from China. Mozi utilized these compromised devices to launch distributed denial-of-service (DDoS) attacks, execute payloads, and exfiltrate data.
Observing the Demise of Mozi
Researchers at cybersecurity firm ESET had been closely monitoring Mozi prior to its sudden demise. The company had witnessed a dramatic drop in Mozi’s activity in August of this year. From monitoring approximately 1,200 unique devices daily worldwide, ESET saw a significant reduction to only 100 unique devices daily. This decline started in India and then spread to China, with both countries accounting for 90% of infected devices globally.
ESET’s analysis revealed that this decrease in activity was caused by an update to Mozi bots, which stripped them of their functionality. Researchers were able to identify and analyze the kill switch responsible for the demise of Mozi. This kill switch not only disabled the Mozi malware but also executed various commands to disable system services, configure routers and devices, and disable access to certain ports.
Deliberate and Calculated Takedown
Evidence suggests that the takedown of Mozi was a deliberate and calculated effort. ESET’s analysis of the kill switch update showed a strong connection between the botnet’s original source code and the recently used binaries. This indicates that the takedown was likely carried out by the original Mozi botnet creator or Chinese law enforcement, potentially with the cooperation or forced involvement of the botnet operators.
The fact that the kill switch update was signed with the correct private key is a significant piece of evidence. Only the original Mozi operators or the Chinese law enforcement agency that apprehended them in July 2021 would have had access to this private signing key. Furthermore, ESET’s analysis revealed that the kill switch update was compiled from the same base source code as the original Mozi, suggesting a direct link.
Implications for IoT Security
The takedown of the Mozi botnet is a significant milestone in the ongoing battle against IoT threats. It highlights the importance of proactive cybersecurity measures to identify and neutralize botnets that exploit vulnerable IoT devices. While this takedown is a positive development, it serves as a reminder of the ever-present cybersecurity risks faced by IoT users and the continuous efforts required to stay ahead of malicious actors.
