Carding 4 Carders
Professional
ESET researchers have revealed a secret weapon against malware.
ESET cybersecurity experts have reported what they believe is the "targeted" destruction of the Mozi botnet, which penetrated more than a million Internet of Things (IoT) devices worldwide.
Mozi, identified in 2019 by 360 Netlab, is a botnet that uses weak telnet passwords and known vulnerabilities to hijack home routers and DVRs. Using these hijacked devices, the botnet carried out DDoS attacks, performed malware injection, and extorted data. Since its discovery, Mozi has infected more than 1.5 million devices, most of which, at least 830,000, are located in China.
In August 2021, Microsoft warned that Mozi has evolved, achieving consistency on network gateways manufactured by Netgear, Huawei and ZTE. In the same month, 360 Netlab reported on assistance in the operation of Chinese law enforcement agencies to arrest the creators of Mozi.
ESET, which started investigating Mozi a month before these arrests, noticed a sharp decline in botnet activity in August of this year.
Ivan Beshina, a senior malware researcher at ESET, reported monitoring approximately 1,200 unique devices daily around the world prior to this event. "We saw 200,000 unique devices in the first half of this year and 40,000 in July 2023," Beshina said. After the elimination of the Mozi infrastructure, the ESET monitoring tool reportedly recorded no more than 100 unique devices per day.
This decrease in activity was first seen in India, then in China, which together account for 90% of all infected devices in the world, Beshina added, adding that Russia ranks third in the number of infected devices, followed by Thailand and South Korea.
The decline in activity was caused by an update to Mozi bots, which deprived them of functionality. ESET reports that an analysis of the update revealed a direct link between the botnet's source code and recently used binaries, indicating "targeted and calculated destruction."
Researchers believe that the deactivation was probably carried out by the creators of Mozi themselves or Chinese law enforcement agencies, possibly forcing the botnet operators to cooperate.
"The most important proof is that this update was signed with the correct private key. Without this, infected devices would not have accepted and applied this update," Beshina said.
"According to our data, only the original Mozi operators had access to this private signature key. The only other party that could have obtained this private key is the Chinese law enforcement agency, which caught the Mozi operators in July 2021."
Beshina added that analysis of updates with the disable feature showed that they should have been compiled from the same basic source code base. "The new update with the disable feature is just a 'simplified' version of the original Mozi," Beshina said.
The alleged destruction of Mozi comes a few weeks after the FBI eliminated and dismantled the notorious Qakbot botnet, a Trojan famous for providing initial access to victims networks for other hackers buying access and deploying their malware.
ESET cybersecurity experts have reported what they believe is the "targeted" destruction of the Mozi botnet, which penetrated more than a million Internet of Things (IoT) devices worldwide.
Mozi, identified in 2019 by 360 Netlab, is a botnet that uses weak telnet passwords and known vulnerabilities to hijack home routers and DVRs. Using these hijacked devices, the botnet carried out DDoS attacks, performed malware injection, and extorted data. Since its discovery, Mozi has infected more than 1.5 million devices, most of which, at least 830,000, are located in China.
In August 2021, Microsoft warned that Mozi has evolved, achieving consistency on network gateways manufactured by Netgear, Huawei and ZTE. In the same month, 360 Netlab reported on assistance in the operation of Chinese law enforcement agencies to arrest the creators of Mozi.
ESET, which started investigating Mozi a month before these arrests, noticed a sharp decline in botnet activity in August of this year.
Ivan Beshina, a senior malware researcher at ESET, reported monitoring approximately 1,200 unique devices daily around the world prior to this event. "We saw 200,000 unique devices in the first half of this year and 40,000 in July 2023," Beshina said. After the elimination of the Mozi infrastructure, the ESET monitoring tool reportedly recorded no more than 100 unique devices per day.
This decrease in activity was first seen in India, then in China, which together account for 90% of all infected devices in the world, Beshina added, adding that Russia ranks third in the number of infected devices, followed by Thailand and South Korea.
The decline in activity was caused by an update to Mozi bots, which deprived them of functionality. ESET reports that an analysis of the update revealed a direct link between the botnet's source code and recently used binaries, indicating "targeted and calculated destruction."
Researchers believe that the deactivation was probably carried out by the creators of Mozi themselves or Chinese law enforcement agencies, possibly forcing the botnet operators to cooperate.
"The most important proof is that this update was signed with the correct private key. Without this, infected devices would not have accepted and applied this update," Beshina said.
"According to our data, only the original Mozi operators had access to this private signature key. The only other party that could have obtained this private key is the Chinese law enforcement agency, which caught the Mozi operators in July 2021."
Beshina added that analysis of updates with the disable feature showed that they should have been compiled from the same basic source code base. "The new update with the disable feature is just a 'simplified' version of the original Mozi," Beshina said.
The alleged destruction of Mozi comes a few weeks after the FBI eliminated and dismantled the notorious Qakbot botnet, a Trojan famous for providing initial access to victims networks for other hackers buying access and deploying their malware.
