The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Mirai IoT Botnet Co-Authors Plead Guilty



Three Americans admit to creating and running the powerful IoT Mirai botnet and posting the source code for it on a criminal forum in the fall of 2016.

Three defendants plead guilty last week to creating and distributing the infrastructure behind Mirai, a botnet that brought several corners of the internet to a standstill in October 2016.

The botnet was behind a series of sustained denial of service attacks that took down DNS provider Dyn, and in turn a slew of other services like Twitter, GitHub, Spotify, Reddit, the New York Times, Netflix, and Soundcloud. Mirai relied on harnessing the power of vulnerable internet of things (IoT) devices, like routers and internet-connected security cameras, to put a strain on networks. The attack is viewed by many experts as one of the worst internet outages in the history of the internet.

Paras Jha, a 21-year-old from New Jersey was indicted for his involvement in the creation of Mirai, according to court documents (.PDF) filed on Friday and unsealed on Wednesday. He was assisted by two co-conspirators Josiah White, 20, from Pennsylvania and Dalton Norman, 21, from Louisiana.

Jha plead guilty to writing and implementing the code behind Mirai, conspiring to launch DDoS attacks, running extortion schemes that threatened DDoS attacks unless victims paid, and promoting Mirai on a handful of message boards used by cybercriminals. Jha also plead guilty to setting up the infrastructure behind the botnet, hiding or destroying evidence from law enforcement, and posting Mirai’s code online, something in the words of Bryan Schroder, attorney for the U.S. District Court for the District of Alaska, created “plausible deniability if law enforcement found the code on computers controlled by Jha or his co-conspirators.”

Jha also plead guilty (.PDF) this week, on Wednesday, to an additional computer fraud charge: executing a series of attacks against servers belonging to Rutgers University.

“Jha’s attacks effectively shut down Rutgers University’s central authentication server, which maintained, among other things, the gateway portal through which staff, faculty, and students delivered assignments and assessments,” the Justice Department wrote in a press release, “At times, Jha succeeded in taking the portal offline for multi-day periods, harming Rutgers University, its faculty, and its students.”

In a separate indictment (.PDF) also filed last Friday, White plead guilty to creating a scanner that scoured the internet looking for vulnerable IoT devices, attempted to login to those devices by entering a series of login credentials, and if successful, recruited devices to join the Mirai botnet.

Norman, in addition to helping Jha and White carry out Mirai, worked to expand the size of the botnet, identifying vulnerabilities in IoT devices and developing exploits for the vulnerabilities the three eventually leveraged to enlist further devices to the botnet. Norman plead guilty to using Mirai bots to facilitate clickfraud - making it appear a user is clicking on an ad to generate revenue - something which earned him cryptocurrency valued at one point this year at over $30,000.

According to court documents the botnet managed to ensnare over 300,000 devices.

The indictments confirm suspicions raised by cybersecurity reporter Brian Krebs. Krebs identified Jha and White as potentially being behind Mirai last year after connecting them to "Anna Senpai," an alias of Jha's that leaked the malware's source code. Krebs pointed out at the time that both Jha and White co-founded ProTraf Solutions LLC, a company that helped organizations mitigate DDoS attacks.

While their code was used to takedown Dyn and services like Twitter, and Netflix, neither Jha, White, nor Norman are being charged with that attack, in which an investigation is reportedly still ongoing.

Jha and White admitted to making roughly two hundred Bitcoin through the clickfraud scam, a figure today that would be worth $3.3M. Jha agreed to forfeit 13 Bitcoin, roughly $218K USD, as restitution. White agreed to give up 33 BTC, or $555K  White and Dalton face up to five years imprisonment and a fine of up to $250,000, Jha faces up to 10 years in prison and a fine of up to $250,000.

Chris Brook

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.