Security researchers observed ‘deliberate’ takedown of notorious Mozi botnetReading Time: 2 minutes
Security researchers say they have observed what they believe is a takedown of the notorious Mozi botnet that infiltrated more than a million Internet of Things devices worldwide.
Mozi is a peer-to-peer Internet of Things botnet that exploits weak telnet passwords and known exploits to hijack home routers and digital video recorders. The botnet, first discovered in 2019 by 360 Netlab, uses masses of these hijacked devices to launch DDoS attacks, payload execution, and data exfiltration. Mozi has infected more than 1.5 million devices since 2019, with the majority — at least 830,000 devices — originating from China.
Microsoft warned in August 2021 that Mozi had evolved to achieve persistence on network gateways manufactured by Netgear, Huawei, and ZTE by adapting its persistence mechanisms. That same month, 360 Netlab announced that it had assisted in a Chinese law enforcement operation to arrest the authors of Mozi.
ESET, which launched an investigation into Mozi a month prior to these arrests, said it observed a dramatic drop in Mozi’s activity in August this year.
The slump in activity was caused by an update to Mozi bots — devices infected by Mozi malware — that stripped them of their functionality, according to ESET, which said it was able to identify and analyze the kill switch that caused Mozi’s demise. This kill switch stopped and replaced the Mozi malware, disabled some system services, executed certain router and device configuration commands, and disabled access to various ports.
ESET says its analysis of the kill switch, which showed a strong connection between the botnet’s original source code and recently used binaries, indicates a ‘deliberate and calculated takedown.’ The researchers say that this suggests the takedown was likely carried out by the original Mozi botnet creator or Chinese law enforcement, perhaps enlisting or forcing the cooperation of the botnet operators.
Bešina added that ESET’s analysis of the kill switch updates showed that it must have been compiled from the same base source code. ‘The new kill switch update is just a ‘stripped down’ version of the original Mozi,’ said Bešina.
The apparent takedown of Mozi comes weeks after the FBI took down and dismantled the notorious Qakbot botnet, a banking trojan that became notorious for providing an initial foothold on a victim’s network for other hackers to buy access and deliver their own malware.
MediaDownloader.net -> Free Online Video Downloader, Download Any Video From YouTube, VK, Vimeo, Twitter, Twitch, Tumblr, Tiktok, Telegram, TED, Streamable, Soundcloud, Snapchat, Share, Rumble, Reddit, PuhuTV, Pinterest, Periscope, Ok.ru, MxTakatak, Mixcloud, Mashable, LinkedIn, Likee, Kwai, Izlesene, Instagram, Imgur, IMDB, Ifunny, Gaana, Flickr, Febspot, Facebook, ESPN, Douyin, Dailymotion, Buzzfeed, BluTV, Blogger, Bitchute, Bilibili, Bandcamp, Akıllı, 9GAG