Who killed Mozi? Lastly placing the IoT zombie botnet in its grave

ESET Analysis

How ESET Analysis discovered a kill change that had been used to take down probably the most prolific botnets on the market

01 Nov 2023
 • 
,
3 min. learn

In August 2023, the infamous Mozi botnet, notorious for exploiting vulnerabilities in lots of of 1000’s of IoT units annually, skilled a sudden and unanticipated nosedive in exercise. First noticed in India on August 8^th, 2023 and per week later in China on August 16^th, this mysterious disappearance stripped Mozi bots of most of their performance.

Our investigation into this occasion led us to the invention of a kill change on September 27^th, 2023. We noticed the management payload (configuration file) inside a consumer datagram protocol (UDP) message that was lacking the everyday encapsulation of BitTorrent’s distributed sloppy hash desk (BT-DHT) protocol. The individual behind the takedown despatched the management payload eight occasions, every time instructing the bot to obtain and set up an replace of itself through HTTP.

The kill change demonstrated a number of functionalities, together with:

• killing the dad or mum course of, i.e., the unique Mozi malware,
• disabling some system companies equivalent to sshd and dropbear,
• changing the unique Mozi file with itself,
• executing some router/machine configuration instructions,
• disabling entry to numerous ports (iptables -j DROP), and
• establishing the identical foothold because the changed unique Mozi file

We recognized two variations of the management payload, with the newest one functioning as an envelope containing the primary one with minor modifications, equivalent to including a operate to ping a distant server, in all probability meant for statistical functions.

Regardless of the drastic discount in performance, Mozi bots have maintained persistence, indicating a deliberate and calculated takedown. Our evaluation of the kill change reveals a robust connection between the botnet’s unique supply code and just lately used binaries, and in addition using the right non-public keys to signal the management payload (see Determine 2).

This leads us to the speculation suggesting two potential originators of this takedown: the Mozi botnet creators, or Chinese language legislation enforcement forcing the cooperation of the creators. The sequential focusing on of bots in India after which in China means that the takedown was carried out intentionally, with one nation focused first and the opposite per week later.

The demise of probably the most prolific IoT botnets is a captivating case of cyberforensics, offering us with intriguing technical data on how such botnets within the wild are created, operated, and dismantled. We’re persevering with to analyze this case and can publish an in depth evaluation within the coming months. However for now, the query stays: Who killed Mozi?

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis provides non-public APT intelligence reviews and knowledge feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.

IoCs

Recordsdata

Community

MITRE ATT&CK strategies

This desk was constructed utilizing model 13 of the MITRE ATT&CK framework.