Who killed Mozi? Finally put the IoT zombie botnet to its grave

ESET Research

How ESET Research found a kill switch used to take down one of the biggest botnets out there

Who killed Mozi?  Finally put the IoT zombie botnet to its grave

In August 2023, the notorious Mozi botnet, which is notorious for exploiting vulnerabilities in hundreds of thousands of IoT devices every year, experienced a sudden and unexpected drop in activity. It was first observed in India on August 8th2023 and a week later in China on August 16ththis mysterious disappearance stripped the Mozi bots of most of their functionality.

Figure 1 Sudden decline in Mozi activity worldwide (top), in India (middle), and in China (bottom)
Figure 1. Sudden decline in Mozi activity worldwide (top), in India (middle), and in China (bottom)

Our investigation into this incident led us to the discovery of a kill switch on September 27th, 2023. We found a control payload (configuration file) inside a user datagram protocol (UDP) message that lacked the typical encapsulation of BitTorrent’s distributed sloppy hash table (BT-DHT) protocol. The person behind the takedown sent the control payload eight times, each time instructing the bot to download and install an update itself via HTTP.

The kill switch has many uses, including:

  • killing the parent process, ie, the original Mozi malware,
  • disable some system services like sshd and dropbear,
  • replacing the original Mozi file with its own,
  • execute some router/device configuration commands,
  • disable access to different ports (iptables -j DROP), and
  • establishing the same foothold as the replaced original Mozi file

We identify two versions of the control payload, with the latest acting as an envelope with the first with minor changes, such as adding a function to ping a remote server, which is probably intended for statistical purpose.

Despite the drastic reduction in functionality, Mozi’s bots continue to persist, indicating a deliberate and calculated takedown. Our analysis of the kill switch shows a strong connection between the botnet’s original source code and recently used binary, and also the use of the correct private keys to sign the control payload (see Figure 2).

Figure 2 Code snippet of the original Mozi sample (left) vs kill switch sample seen in 2023 (right)
Figure 2. Code snippet of the original Mozi sample (left) vs kill switch sample seen in 2023 (right)
Figure 3 Control flow diagram
Figure 3. Control flow diagram of the original Mozi sample (left) vs kill switch sample seen in 2023 (right)

This leads us to the hypothesis that suggests two potential creators of this removal: the Mozi botnet creators, or Chinese law enforcement that forces the cooperation of the creators. The bots’ successive targeting of India and then China suggests the removal was deliberate, with one country targeted first and the other a week later.

Image 4 Mozi timeline
Figure 4. Mozi timeline

The demise of one of the largest IoT botnets is a fascinating case of cyberforensics, providing us with fascinating technical information on how such botnets in the wild are created, run, and dismantled. We are continuing to investigate this case and will publish a detailed analysis in the coming months. But for now, the question remains: Who killed Mozi?

For any questions about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Research offers private APT intelligence reports and data feeds. For any questions about this service, visit the ESET Threat Intelligence page.

IoCs

Files

SHA-1

file name

Detection

Description

758BA1AB22DD37F0F9D6FD09419BFEF44F810345

mozi.m

Linux/Mozi.A

Original Mozi bot.

9DEF707F156DD4B0147FF3F5D1065AA7D9F058AA

u. 7

Linux/Mozi.C

Mozi bot kill switch.

Network

IP

Domain

Hosting provider

First seen

Details

157.119.75(.)16

N/A

AS135373 EFLYPRO-AS-AP EFLY NETWORK LIMITED

2023-09-20

The hosting server switch is down

MITER ATT&CK techniques

This table was created using the version 13 in the MITER ATT&CK framework.

Tactics

id

name

Description

Resource Development

T1583.003

Infrastructure Acquisition: Virtual Private Server

Mozi kill switch operators rent a server at eflycloud.com to host the update files.

Mozi kill switch operators lease multiple servers that send payloads over BT-DHT networks.

Initial Access

T1190

Take advantage of the Public Facing Application

The Mozi kill switch operator sends an update command to Mozi clients on the BT-DHT network.

ENDURANCE

T1037.004

Boot or Logon Initialization Scripts: RC Scripts

The kill switch generates several scripts, such as /etc/rc.d/rc.localto establish sustainability.

Exfiltration

T1048.003

Exfiltration Over Alternative Protocols: Exfiltration Over Unencrypted Non-C2 Protocols

The kill switch sends an ICMP ping to the operator probably for monitoring purposes.

effect

T1489

Termination of Service

The kill switch stops the SSH service and blocks access to it using iptables.

Leave a comment