A ‘kill switch’ deliberately shut down notorious Mozi botnet, researchers say

Researchers have discovered a “kill switch” that supposedly put an end to the infamous Mozi botnet, which exploited vulnerabilities in hundreds of thousands of smart devices.

The first indications that something went wrong with Mozi appeared in August when the botnet's activity suddenly dropped in India and China, its largest markets.

Researchers at the cybersecurity firm ESET then discovered that Mozi's bots became nearly inactive after someone sent a payload to the infected devices, which deactivated the Mozi malware, shut some of its system services, and disabled access to various ports.

The researchers suggest that the takedown was “deliberate and calculated” and was likely executed by the creators of Mozi or Chinese law enforcement. In 2021, China arrested the creators of the botnet.

Among the evidence that the botnet shutdown was deliberate is that the update carrying the kill switch was signed with the correct private key and has a strong connection to the botnet's original source code, the researchers said.

Mozi was discovered in 2019, and since then has infected more than 1.5 million Internet of Things (IoT) devices, turning them into bots — hacked gadgets controlled by cybercriminals to carry out distributed denial-of-service (DDoS) attacks, exfiltrate data, or install other malware.

Mozi gained access to IoT devices, such as digital cameras and home routers, by exploiting weak or default login credentials.

ESET called Mozi's demise “a fascinating case of cyber forensics,” providing analysts with technical information on how such botnets are created, operated, and dismantled. However, the main question of who killed Mozi remains a mystery.