ESET researchers said they found a ‘kill switch’ that unexpectedly shut down one of the major cyber threats out there - the Mozi malware botnet.

First discovered in 2019, Mozi is a P2P botnet that uses the DHT protocol. The botnet malware spreads by abusing weak Telnet passwords and known exploits targeting IoT devices. The botnet is able to launch Distributed Denial-of-Service (DDoS) attacks, launch payloads, steal data, and execute system commands. At its peak, Mozi accounted for over 1.5 million infected devices.

In August 2023, the researchers noticed a significant decrease in the botnet’s activity first in India and then in China. A further investigation led to the discovery of a kill switch on September 27.

“We spotted the control payload (configuration file) inside a user datagram protocol (UDP) message that was missing the typical encapsulation of BitTorrent’s distributed sloppy hash table (BT-DHT) protocol. The person behind the takedown sent the control payload eight times, each time instructing the bot to download and install an update of itself via HTTP,” ESET said.

The update was a malicious code that shut down the original Mozi malware, disabled some system services, replaced the original Mozi file with itself, executed some router/device configuration commands, disabled access to various ports, and established the same foothold as the replaced original Mozi file.

ESET identified two versions of the control payload, with the latest one functioning as an envelope containing the first one with minor modifications, such as adding a function to ping a remote server, probably meant for statistical purposes. The control payload was sent eight times, each time targeting a different region.

However, the fact that Mozi bots have maintained persistence, a strong connection between the botnet’s original source code and recently used binaries, and the use of the correct private keys to sign control payload indicates a deliberate and calculated takedown.

The researchers theorize that Mozi’s takedown was orchestrated either by its creators or by Chinese law enforcement forcing the cooperation of the botnet’s operators.

“The sequential targeting of bots in India and then in China suggests that the takedown was carried out deliberately, with one country targeted first and the other a week later,” ESET noted.