Somebody Just Killed the Mozi Botnet

The Mozi botnet is now a shell of its former self, thanks to a de facto kill switch triggered in August.

Active since September 2019, Mozi is a peer-to-peer (P2P) botnet that enables distributed denial-of-service (DDoS) attacks, as well as data exfiltration and payload execution. It infects Internet of Things (IoT) devices — using network gateways, for example, as an inroad for more powerful compromises — and its source code has roots in other IoT-based botnets, including Mirai, Gafgyt, and IoT Reaper.

Once the most prolific botnet in the world, Mozi has now all but shut down. In a blog post published Nov. 1, researchers from ESET speculated that the creators, or possibly the Chinese government, were responsible for distributing an update which killed its ability to connect to the outside world, leaving only a small fraction of working bots standing.

"The new kill switch update is just a 'stripped down' version of the original Mozi," explains Ivan Bešina, senior malware researcher for ESET. "It has the same persistence mechanism, and it sets up the firewall in the same way as Mozi, but it lacks all of its networking capabilities," rendering it null to future use.

Mozi's Disappearing Act

Even in its earliest days, Mozi was a force to be reckoned with. According to IBM's X-Force, from late 2019 through mid-2020, it accounted for 90% of global botnet traffic, causing a massive spike in botnet traffic overall. As recently as 2023, ESET tracked over 200,000 unique Mozi bots, though there could have been many more.

Now it's gone, even more quickly than it came.

On Aug. 8, instances of Mozi within the country of India fell off a cliff. On Aug. 16, the same thing occurred in China. Now the botnet all but doesn't exist in either country, and global instances are down to a small fraction of what they once were.

Source: ESET

On Sept. 27, researchers from ESET discovered the cause: a configuration file inside a user datagram protocol (UDP) message, sent to Mozi bots, with instructions to download and install an update.

The update was, in effect, a kill switch.

It replaced the malware with a copy of itself, and triggered a few other actions on host devices: disabling certain services, access to certain ports, and executing certain configuration commands, and establishing the same foothold on the device as the malware file it replaced.

Overlaps with its original source code, and private keys used to sign the kill switch, certainly indicated that those responsible were the original authors, but researchers also speculated whether the authors might have been coerced into killing their creation by Chinese law enforcement, which arrested them in 2021.

Is This the End of Mozi?

Despite its huge presence around the world, to Bešina, Mozi wasn't much of a threat to begin with.

"One of the problems with Mozi was that it generated substantial amounts of Internet traffic as the bots were actively attacking devices all around the world, trying to spread on their own (without operators' supervision). It clutters security logs and creates petty incidents for security analysts monitoring infrastructure. Anyone with basic security countermeasures was safe," he says.

And ironically, thanks to its kill switch, Mozi has now made its host devices even more resilient to future malware infections than they otherwise would've been.

As Bešina explains, "it hardens the device from further infection from other malware as it turns off management services like SSH server, and puts in place strict firewall rules. In this case, the persistence helps to keep this hardened configuration even after the reboot of the device, so the kill switch authors did the maximum they could to avoid reinfection with the original Mozi or another malware."