Mozi botnet murder mystery: China or criminal operators behind the kill switch?

Middle Kingdom or self-immolation - there are a couple of theories

The Mozi botnet has all but disappeared according to security folks who first noticed the prolific network's slowdown and then uncovered a kill switch for the IoT system. But they still have one unanswered question: "Who killed Mozi?"

Mozi, which emerged in late 2019 and soon after accounted for an estimated 90 percent of all malicious IoT network traffic, quickly gained notoriety as it exploited vulnerabilities in hundreds of thousands of connected devices each year. 

But then this August, the criminal network's activity took "a sudden and unanticipated nosedive," according to ESET Research, which on Wednesday said its team found an activated kill switch to "put the IoT zombie botnet in its grave."

They spotted the slowdown first in India on August 8, and then in China on August 16. A little over a month later, ESET found the the control payload inside a user datagram protocol (UDP) message that acted as the kill switch and had some interesting extra functionality.

The command stopped the Mozi malware, disabled some system services, replaced the original application file, reordered some router/device configuration commands, and disabled access to various ports.

"The person behind the takedown sent the control payload eight times, each time instructing the bot to download and install an update of itself via HTTP," ESET malware researchers Ivan Bešina, Michal Škuta, and Miloš Čermák wrote. 

Despite stripping the malware of its capabilities, Mozi bots still maintained persistence, the trio added. They also note that the kill switch code shares some code snippets with the original botnet, and whomever flipped the switch to take down Mozi used the correct private keys to sign the payload.

This all led the security shop to two theories about who is behind the IoT bot's shut down.

"There are two potential instigators for this takedown: the original Mozi botnet creator or Chinese law enforcement, perhaps enlisting or forcing the cooperation of the original actor or actors," Bešina said in a statement

"The sequential targeting of India and then China suggests that the takedown was carried out deliberately, with one country targeted first and the other a week later," he continued.

The team says the investigation is ongoing, and the researchers will publish a more detailed analysis in the coming months. Of course, whether the IoT zombie botnet will stay dead remains to be seen, they have a habit of returning from the grave. ®

More about


Send us news

Other stories you might like