The Mozi botnet is now a shell of its former self, thanks to a de facto kill switch triggered in August.

Active since September 2019, Mozi is a peer-to-peer (P2P) botnet that enables distributed denial-of-service (DDoS) attacks, as well as data exfiltration and payload execution. It infects Internet of Things (IoT) devices — using network gateways, for example, as an inroad for more powerful compromises — and its source code has roots in other IoT-based botnets, including Mirai, Gafgyt, and IoT Reaper.

Once the most prolific botnet in the world, Mozi has now all but shut down. In a blog post published Nov. 1, researchers from ESET speculated that the creators, or possibly the Chinese government, were responsible for distributing an update which killed its ability to connect to the outside world, leaving only a small fraction of working bots standing.

Mozi is a P2P botnet that uses the Distributed Hash Table (DHT) protocol to communicate and coordinate with other bots. DHT is a decentralized system that allows nodes to store and retrieve data without relying on a central server. Mozi uses DHT to form a network overlay that is resilient to disruption and censorship. Each bot acts as both a client and a server, sending and receiving commands, payloads, and configuration files.

Mozi spreads by exploiting weak telnet passwords and known vulnerabilities in IoT devices, such as routers, DVRs, IP cameras, and smart TVs. It scans the internet for potential targets and attempts to brute-force the login credentials or exploit the flaws. Once it gains access, it downloads and executes a malicious binary file that installs the Mozi malware and deletes itself. The infected device then joins the botnet and starts scanning for new victims.

Mozi also uses a domain generation algorithm (DGA) to create a list of fallback domains that can be used to download the malware in case the direct download fails. The DGA is based on the current date and a seed value that is hardcoded in the malware. The domains are registered by the botnet operators and point to malicious servers that host the malware.

Security Implications and Risks

Mozi poses a serious threat to the security and privacy of IoT devices and their users. The botnet can be used to launch DDoS attacks against any target, such as websites, servers, or networks, by flooding them with traffic and overwhelming their resources. Mozi can also perform data exfiltration, which means stealing sensitive information from the infected devices, such as credentials, personal data, or network configuration. Moreover, Mozi can execute arbitrary payloads on the devices, which can allow the attackers to install additional malware, spyware, ransomware, or crypto-miners.

Mozi can also compromise the security of the entire network that the IoT devices are connected to. For example, Mozi can use the network gateways as a bridgehead to access the internal network and perform lateral movement, reconnaissance, or escalation of privileges. Mozi can also manipulate the network traffic by performing man-in-the-middle (MITM) attacks, such as HTTP hijacking or DNS spoofing, to redirect the users to malicious websites or servers.

How it was Taken Down and by Whom

Mozi was taken down by a mysterious kill switch that was activated in August 2021. The kill switch was a control payload that was sent to the bots via the DHT network. The payload instructed the bots to stop the Mozi malware, disable some system services, replace the original application file, reorder some router/device configuration commands, and disable access to various ports. The payload also contained some code snippets that were similar to the original Mozi malware, and it was signed with the correct private keys that only the botnet operators or someone who compromised them would have.

The identity and motive of the person or entity behind the kill switch are unknown, but there are two main theories. One theory is that the original Mozi botnet creator or creators decided to shut down the botnet for some reason, such as fear of being caught, loss of interest, or internal conflict. Another theory is that the Chinese law enforcement, perhaps with the cooperation or coercion of the original actors, carried out the takedown as part of a crackdown on cybercrime in China. The sequential targeting of India and then China, which are the two countries with the most Mozi infections, suggests that the takedown was deliberate and planned.