The Mozi malware operation came to a sudden halt in August when an unidentified individual delivered a payload on September 27, 2023, triggering a kill-switch that effectively disabled all the associated bots.
Mozi, a notorious DDoS botnet malware that emerged in 2019, primarily focuses on compromising IoT devices, including routers, digital video recorders, and various other internet-connected appliances.
The malware leveraged commonly known vulnerabilities and easily guessed default passwords to infiltrate devices, integrating them into the decentralized peer-to-peer network. Within this network, communication occurs through the utilization of BitTorrent’s DHT protocol.
On September 27, 2023, a series of eight UDP messages were dispatched to all Mozi bots, directing them to initiate an HTTP-based update process. This sequence of actions led to the following outcomes:
- Termination of the Mozi malware operation.
- Deactivation of select system services, including sshd and dropbear.
- Replacement of the Mozi file.
- Execution of device configuration commands.
- Restriction of access to multiple ports.
- Establishment of a foundation for the new file.
The decision of the individual behind the kill-switch to retain persistence for the new payload, which could also transmit signals to a remote server for monitoring purposes, suggests a deliberate form of control.
ESET’s code analysis unveiled striking resemblances between the original Mozi code and the binaries employed to counter it, which even included the accurate private keys for signing the payload. This suggests possible involvement from either the original creators of the botnet or Chinese law enforcement authorities in the shutdown, though at present, this detail remains shrouded in mystery.
While it’s great to have dismantled a major botnet, numerous malicious DDoS botnets continue to scan the web for vulnerable IoT devices daily. Consequently, users should prioritize device updates, employ robust passwords, and isolate them from critical networks.
Mozi Malware Mitigation
To safeguard against the Mozi malware botnet, follow these key points:
- Keep your software up to date: Regularly update and install the latest software patches. Outdated software can be vulnerable to exploitation by malware authors.
- Check and update operating systems: Ensure your operating systems are up to date, as this can help prevent vulnerabilities from being exploited by malicious actors.
- Maintain network applications: Regularly update your network applications to enhance security and reduce the risk of intrusion.
In addition, user awareness is vital for defense against the Mozi malware botnet. Consider the following:
- User education: Educate users about common tactics employed by malicious hackers to infiltrate systems. Encourage them to refrain from downloading unfamiliar files and avoid interactions with strangers online.
- Caution with emails: Advise users to exercise caution when dealing with email attachments and links, as these could potentially harbor malware.