US Charges Three Men with Creating and Running First-Ever Mirai Botnet

Three men have pleaded guilty for their role in the creation of the Mirai malware and the use of the subsequent Mirai botnet to launch DDoS attacks on multiple targets across the Internet, according to documents unsealed today by the US Department of Justice (DOJ).

The three men named in court documents are Paras Jha, Josiah White, and Dalton Norman.
Feds identify creators of Mirai malware

US authorities claim the three collaborated to create Mirai, a malware strain that targets smart devices and networking equipment running Linux-based operating systems.

The malware would use a Telnet scanner to identify devices exposed online and would use a combination of exploits and default credentials to infect unsecured equipment and add it to a massive botnet.

The FBI, which spearheaded the investigation, says this botnet reached a massive size of over 300,000 devices, most of which where DVRs, security cameras, and routers.

Work on Mirai started around August 2016. Security researchers spotted Mirai the very same month.

According to the plea agreements, White created Mirai’s Telnet scanner, Jha the botnet’s core infrastructure and the malware’s remote control features, while Norman developed new exploits.
Original Mirai botnet advertised as a DDoS-for-hire service

All three advertised the botnet on hacking forums, as a DDoS-for-hire service, but Jha appears also to have used the botnet himself in an attempt to extort a hosting company.

This for-rent model also makes it difficult to attribute DDoS attacks carried out with Mirai in its early days, more specifically those against the blog of infosec reporter Brian Krebs, French hosting provider OVH, and managed DNS provider Dyn.

All were carried out with the original Mirai botnet and made Mirai a household name. While a DDoS attack against OVH reached a massive 1.1 Tbps, the DDoS attack against Dyn was by far the one that made Mirai famous, as it took out an estimated quarter of all Internet sites.

Following this attack, Jha —who operated under the online pseudonym of Anna-senpai— released the malware’s source code online, and other malware developers have used it to create countless of clones since then, such as the most recent variant, called Satori. Jha presumably hoped to hide Mirai’s tracks from investigators because of the countless of new clones.

Court documents, available here, also say the three used the Mirai botnet to relay regular traffic for click-fraud malware that surreptitiously clicked on ads, creating illicit profits for operators, some of which ended up in Jha, White, and Norman’s pockets. In addition, Jha pleaded guilty for carrying out multiple DDoS attacks against his alma mater Rutgers University between November 2014 and September 2016, even before creating Mirai.
Krebs investigation confirmed

Documents unsealed today also confirm an investigation carried out by Brian Krebs into the people responsible for the DDoS attack on his site, during which he named Jha and White as two possible culprits for creating Mirai.

Jha was previously questioned by the FBI in January 2017. According to docket information, US authorities charged the three in May 2017.
December 13, 2017