This infamous botnet has been killed off - but who pulled the trigger?

News
By
published

No one knows who killed Mozi

DDOS Attack code concept art
(Image credit: Shutterstock / DaLiu)

A major malware botnet known as Mozi suddenly terminated its operations at the end of September, and no one seems to know exactly why.

As reported by cybersecurity researchers ESET, from August 8 until September 27, someone has been sending messages to the bots (which are nothing but infected devices belonging to people and organizations around the world) to cease operations. All the bots in India were the first to fall, followed by China, the country where Mozi originated, BleepingComputer reports.

In the message, the bots were instructed to terminate the Mozi process, disable some system services, replace the Mozi file, execute device configuration commands, block access to different ports, and establish a foothold for the new file. 

Was it the police?

The identity of the people behind this operation remains a mystery. Law enforcement agencies around the world have been doing similar things in the past with other botnets, but the main difference here is that the malware persists on the bots in anticipation of a new payload.

So it could be the botnet’s creators - but it could also be Chinese law enforcement; we might never find out. 

Mozi was first spotted in 2019, when it went after IoT endpoints such as routers, digital video recorders, and other devices with limited visibility. The majority of the compromised devices had weak or default passwords and as such were easy to compromise and assimilate into the botnet. 

The network was used mostly to run distributed denial of service (DDoS) attacks, which are capable of blocking access to front-facing services. 

The infamous Qakbot botnet was taken down by the FBI earlier this year in the same manner. In late August this year, the FBI said it managed to redirect the botnet’s traffic to servers under its command, and used it to instruct the bots to uninstall the malware. Some 700,000 devices were freed from the clutches of the botnet almost instantly.

However, it seems as if the operators returned in October with a new phishing campaign, aimed at delivering a Remote Access Trojan (RAT) to its victims.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.