Botnets are one of the invisible forces that have greatly affected our daily life. Being able to disrupt access to servers, applications and in some cases shutting down access to entire countries on the internet, botnets have become a true threat to the internet infrastructure.
by Felix Morrison
A botnet is a collection of infected devices that can be used to knock a target off the internet. The most common infections happen with security cameras and wireless routers where default settings and passwords are exploited to gain access and replicate throughout a network. By using this army of zombie-like devices, a botnet master can send enormous amounts of junk traffic to any website in order to create what is called a Distributed Denial of Service (DDoS) Attack.
Internet of Things (IoT) devices such as webcams and routers are ubiquitous in our everyday life and one would never suspect how easily they can be infected.
Using malicious code known as worms that self-replicate and propagate to any connected devices in the network, hackers gain control with the intention of turning a profit by holding websites hostage and taking down competitors all while offering their services in hacking forums online.
This led to the creation of groups dedicated to offer DDoS mitigation and protection as well as an increase in new services called stressers or booters, which are simply words for DDoS attacks for hire.
Unfortunately employees as well as people at home ignore basic safety measures such as setting up a new password on freshly installed devices.
The Rise of the Mirai Botnet
The phenomenon called Mirai Botnet was relatively unknown to the general public until they finally felt the effects. On September 2016, Dyn, a company handing services such as DNS resolution whose services include routing IP addresses suffered what is now perhaps the biggest DDoS attack in history. This affected major websites such as Paypal and Amazon for most of North America and parts of Europe.
Just for perspective: previous DDoS attacks had been in a range of around 10-to-20 gigabits a second. This was a whopping 1.2 terabits per second. Many botnets and DDoS attacks had existed before, but the scale was absolutely unprecedented, enough to make many experts think it could be a nation-state such as Russia behind the attacks.
Mirai was the creation of Paras Jha, Josiah White and Dalton Norwan, three young men from the US who set out to dominate the DDOS mitigation industry with their company Protraf Solutions LLC.
This was not the first time that a so-called mitigation company would be behind DDoS attacks to their potential customers in an attempt to win them over by fixing the issue. The only difference was that they managed to put together an array of techniques and methods that worked like no other. The collective knowledge and experience of this trio helped them combine new and old methods to create a novel malware.
Jha and White realized that they could turn a better profit by offering DDoS protection to Minecraft servers rather than trying to run their own servers.
The Minecraft online game has no set goal and invites its players to explore, mine, craft and build using a pixel block environment.
Jha was responsible for most of the code; White, also suspected to be the author of a previous botnet called Qbot, excelled at designing a scanner that probed the Internet for potential devices to be infected; while Norwan came into the picture later programing a click-fraud scam that used all the infected devices in the Botnet. Jha was also reaching out to the hacker community using the Anna Senpai moniker on hacking forums.
Though smart and savvy the need for attention, revenge and personal satisfaction would end up coming back to haunt them.
Mirai started a unique trend in malware where once it has infected a device it will also scan for any other known infections, patching vulnerabilities to effectively secure total control of the device.
This led to the growth of an army of enslaved computers that would end up causing the biggest internet outages in history.
The downfall for Jha, White and Norwan would start after their desire of revenge took them too far. The trio would attack competitors, potential customers, and enemies just for the thrill of it.
But after taking down the website of security researcher Brian Krebs (with a record 1tbs range measured in the attack) they quickly became a target for law enforcement agencies and security experts all around the world.
After four months of investigation, Krebs was able to put together enough information surmising that the person behind the Anna Senpai moniker was in fact one of the founders of Protraf Solutions LCC: Paras Jha.
In an attempt to confuse the investigators, the Mirai botnet team decided to release their code for free on hacking forums. This created a terrible wave of copycat attacks that climaxed on the strike on Dyn.
By interlacing all the emails, phone numbers and personal information related to the botnet the FBI was able to connect the dots and arrest Jha, White and Norwan, finally putting an end to the creators of Mirai. After their capture they cooperated with the authorities in order to get some leniency from the court. They were sentenced to 6-months of home confinement and a fine of $8.6-million.
These young pranksters were able to poke holes in the very core of the inner workings of something we take for granted every day. The next time you send an email or watch a video in Youtube remember how fragile this virtual environment is, and how much our daily lives are impacted when it shuts down.
Paras Jha landed a gig with an unnamed security firm, so the future looks bright for Anna Senpai.
How a Minecraft dorm room scam brought down the Internet – Wired Magazine
Understanding the Mirai Botnet – Usenix Conference
Who is Anna Senpai? The Mirai Worm Author – Brian Krebs