Somebody Just Killed the Mozi Botnet

Somebody Just Killed the Mozi Botnet

November 3, 2023 at 02:46PM

The Mozi botnet, once the most prolific in the world, has been effectively shut down by a kill switch triggered in August. The botnet, which enabled Distributed Denial of Service (DDoS) attacks and compromised Internet of Things (IoT) devices, is now largely non-functional. Researchers speculate that the creators or the Chinese government may be responsible for distributing the update. The kill switch update has disabled Mozi’s networking capabilities, rendering it useless for future attacks. The botnet’s disappearance has made infected devices more resilient to future malware infections.

According to the meeting notes, the Mozi botnet, which was previously one of the most prolific botnets in the world, has been significantly weakened. In August, a de facto kill switch was triggered, effectively shutting down the botnet. Mozi was a peer-to-peer botnet that enabled distributed denial-of-service attacks, data exfiltration, and payload execution. It primarily infected Internet of Things devices and had roots in other IoT-based botnets like Mirai, Gafgyt, and IoT Reaper.

Researchers speculate that the creators of Mozi or possibly the Chinese government distributed an update that disabled its ability to connect to the outside world. Now, only a small fraction of working bots remain. The kill switch update is a stripped-down version of the original Mozi, lacking networking capabilities.

Mozi accounted for 90% of global botnet traffic from late 2019 to mid-2020. However, instances of Mozi rapidly declined in India and China in August, and now the botnet is almost non-existent in those countries. As of September, there were still over 200,000 unique Mozi bots tracked by ESET, but the number has significantly decreased.

The cause of the decline was discovered to be a configuration file within a user datagram protocol (UDP) message sent to Mozi bots. The update acted as a kill switch, replacing the malware with a copy of itself and disabling certain services and access to ports. It is speculated that the original authors of Mozi were responsible for this kill switch, but there are also theories that they may have been coerced into doing so by Chinese law enforcement.

Overall, Mozi wasn’t considered a significant threat due to its high internet traffic generation and the fact that basic security measures could protect against it. Interestingly, the kill switch has made host devices more resilient to future malware infections by hardening the device and implementing strict firewall rules.

Full Article