Your browser is not supported. Please update it.

15 December 2017

Mirai-makers plead guilty, Hajime still lurks in shadows

Riot doesn’t go in for New Year predictions much, but we think Hajime will be a name on most security reporters’ lips at some point in 2018 – a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things. Mirai itself has made the news this week, because its apparent author has now plead guilty to such accusations, leveled against him by the FBI. However, this isn’t the end for the now open-sourced Mirai.

Wired extensively covered the admission, which took place in a court in Anchorage – and profiles the interesting FBI investigation. The three accused, all Americans, have collectively confessed to unleashing Mirai on the world – but notably, not to the Mirai-powered attack on the Dyn DNS server that crippled huge amounts of internet infrastructure. Starting from humble beginnings (originally created for Minecraft server abuse), Mirai’s spread was almost unprecedented.

While Riot has been talking about Hajime for some time, and now it seems less likely that Mirai was simply a warm-up for the real-deal that would be Hajime (as the FBI hasn’t discovered/disclosed a link between the two), both botnets are going to continue to snap up unsecured IoT devices – as manufacturers are still shipping devices with hard-coded default credentials that can be easily exploited by attackers.

This isn’t just a problem for the IoT – at scale, these botnets pose a threat to the wider internet and all traffic that travels across it. In a hyperconnected world, the amount of mission critical services that will be dependent on continual internet connections means that any outage could be disastrous – and Mirai showed just how simple it could be to offline web giants like Netflix and Amazon.

Paras Jha (21) was the ringleader, with Dalton Norman (21) and Josiah White (20) joining him in breaching the Computer Fraud and Abuse Act (CFAA). Jha has admitted to authoring the source code, but says he released it online (open-sourcing it) as a means for plausible deniability. Norman has also admitted working on the source code, but was also brought up on charges of using Mira to power a click-fraud advertising botnet – leasing access to the system so that people could earn fraudulent advertising revenue.

White plead guilty to creating the scanning component for Mirai, which let it hunt down and infect vulnerable devices, for hosting the control servers, and for attacking a computer in France to obscure Mirai’s source. Separately, Jha has also been picked up for his Mirai attack on Rutger University’s network, his alma mater. This incident (the CFAA incident) could net him an additional decade in prison.

The plea-deal means that the trio face up to five years imprisonment, and are also giving up some (not all!) of the bitcoin they acquired in the process – Jha giving up 13BTC, and White handing over 33. For those following bitcoin, at the time of the attacks, the bitcoin they had acquired was valued at around $180,000, and is now (at current estimates) worth $1,672,926.

Jha maintained a Mirai botnet of 300,000 devices, and the total number of Mirai-infected devices appears to have peaked at 600,000 concurrently. The largest attack saw French hosting firm OVH hit with a peak of 1.1Tbps, and a follow-up attack peaked at 901Gbps. The Jha-led Mirai botnet also competed against a rival DDoS-for-hire outfit called vDOS.

Famed security researcher Brian Krebs fingered Jha and White as the culprits back in January (this is a very long read, but well worth it). In a follow-up, Krebs notes that the pair were co-founders of Protraf Solutions, a DDoS mitigation specialist, and said “like firemen getting paid to put out the fires they started, Jha and White would target organizations with DDoS attacks and then either extort them for money to call off the attacks, or try to sell those companies services they claimed could uniquely help fend off the attacks.”

Krebs has first-hand experience of Mirai, after his website was attacked by a 620Gbps DDoS attack – the largest that his mitigation provider Akamai had ever seen. After the pro bono coverage began impacting Akamai’s paying customers, Akamai dropped Krebs, who was then picked up by Google’s Project Shield. Since then, Krebs notes that dozens of other Mirai botnets have risen, and have been used to target banks. Daniel ‘Bestbuy’ Kaye was prosecuted in Germany for Mirai attacks on Deutsche Telekom, and is also on trial for attacking UK banks.

As per Wired, the defendants had initially been planning on using Mirai to DDoS video game servers, for gamers looking to pay small fees to knock opponents offline – with Minecraft a popular title, apparently capable of making popular server hosts thousands of dollars each month. An FBI investigator noted that “these kids are super smart, but they didn’t do anything high level – they just had a good idea. It’s the most successful IoT botnet we’ve ever seen – and a sign that computer crime isn’t just about desktops anymore.”

The FBI investigated Minecraft’s sometimes-shady server arms race, with rivals paying to DDoS each other – and the aforementioned OVH was a target because of its VAC tool, which offered protection against DDoS attacks. Mirai attacking OVH was a means to an end, according to the FBI – to knock VAC offline, so that they could target specific Minecraft servers.