In late September, ESET identified a kill switch that had been used to take down the botnet. The kill switch involved a control payload instructing bots to download and install an update over HTTP.
The update ensures that while the malware remains on systems, it no longer performs its malicious routines. Actions initiated by the kill switch include killing the parent process associated with the Mozi malware, disabling some system services, executing router and other device configuration commands, and disabling access to certain ports.
“Our analysis of the kill switch shows a strong connection between the botnet’s original source code and recently used binaries, and also the use of the correct private keys to sign the control payload,” ESET noted.
The company’s theory is that the takedown of the Mozi botnet was deliberately initiated by its creators, with Chinese law enforcement possibly forcing them to cooperate.
“The demise of one of the most prolific IoT botnets is a fascinating case of cyberforensics, providing us with intriguing technical information on how such botnets in the wild are created, operated, and dismantled,” ESET said.
Related: Qakbot Hackers Continue to Push Malware After Takedown Attempt
Related: US Announces Takedown of Card-Checking Service, Charges Against Russian Operator
Related: Takedown of GitHub Repositories Disrupts RedLine Malware Operations
