It was one of the large botnets, with over 1.5 million infected machines. But the Mozi malware, which exploited the vulnerabilities of hundreds of thousands of Internet of Things machines, such as cameras or routers, quietly bowed out at the end of the summer.
If the disappearance of the botnet is hardly shocking, it has nevertheless caught the attention of researchers from the publisher Eset, who explain it in an informative article. Because an intriguing mystery hangs over Mozi’s ending clap.
Appeared in 2019
Appearing in September 2019, this malware exploited a BitTorrent-type network to infect devices, by attacking weak passwords and a dozen unpatched vulnerabilities, Microsoft reported. In addition to selling illegal denial of service attack services, it also diversified into crypto-asset mining in 2020.
An activity carried out for four years, until the summer of 2023. Eset researchers then spotted the launch of a kill switch, identified at the end of September. It was this update that led to the botnet’s demise. The software update was launched in two stages: first in India on August 8, then in China on August 16, which led to a sudden drop in malware activity.
Signed update
Eset researchers note that the update, which disabled the malware, some system services and its access to certain ports, was correctly signed. Thus leaving two hypotheses on the origin of the dismantling of the malware. These could either be the creators of the botnet or Chinese law enforcement who forced the cooperation of the malware creators.
A serious lead: as TechCrunch recalls, the Chinese publisher 360 NetLab had reported having contributed to the arrest in China of the creators of Mozi in the summer of 2021. This botnet was first present in China and India, around 90 % of machines infected. A dismantling which would then recall that of QakBot by the FBI and that of Emotet by Europol.