Has Krebs unmasked the creator of IoT DDoS worm Mirai?

20 Jan 2017

The Mirai botnet signals the dawn of a terrifying infosec age where thousands of machines can be marshalled to attack websites and servers. Image: Profit_Image/Shutterstock

Infosec journalist Brian Krebs has claimed to have unmasked the creator of the Mirai botnet that went on to cause the internet’s biggest meltdown by taking over vulnerable IoT devices.

Brian Krebs of Krebs on Security was the first to be hit by the Mirai botnet, which marshalled thousands of vulnerable internet of things (IoT) devices such as security cameras to launch devastating distributed denial-of-service (DDoS) attacks.

In October, Krebs was hit by a 620Gbps data tsunami that took his website offline.

The same botnet took French hosting provider OVH offline after enlisting around 145,000 IoT devices and hacking CCTV cameras to mount an attack.

At one stage, 4.5pc of Deutsche Telekom’s German customers – or 900,000 people – were forced offline in November because of the Mirai botnet.

The advent of Mirai signalled the dawn of a terrifying new age where vulnerable IoT devices could be turned into a cyber army to take down websites.

From the start, the Mirai botnet was understood to be the handiwork of a hacker known as Anna-senpai.

 Marshalling of the machines

A long and careful investigation by Krebs following the breadcrumbs left by hackers boasting of their work has led him to claim that Anna-senpai is one of the aliases of Paras Jha, founder of DDoS protection service ProTraf.

“These so-called DDoS attacks are digital sieges in which an attacker causes thousands of hacked systems to hit a target with so much junk traffic that it falls over and remains unreachable by legitimate visitors. While DDoS attacks typically target a single website or internet host, they often result in widespread collateral internet disruption,” Krebs said.

Krebs’s first clue was that Mirai was related to a family of botnet code that went under several names including Bashlite, Q-bot and Torlus. This group infected systems in a similar fashion and used infected IoT devices to scan the web for other weak IoT devices, forcing them to participate in attacks.

Another clue was related to an internet hooligan gang known as Lelddos, which launched major attacks on the server industry that supported internet game platform Minecraft, owned by Microsoft.

The Lelddos gang would attack server providers who did not get their Minecraft fix at a specific online protection service. One such victim was ProxyPipe, which was hit by a botnet that attacked 100,000 servers.

Krebs appears to be suggesting that Jha was behind attacks on Minecraft server firms that used security services other than his own ProTraf DDoS protection provider.

He is also suggesting that Jha and ProTraf had an accomplice in the form of Christopher CJ Sculti, owner of competing DDoS protection company DataWagon, who had a penchant for approaching victims by Skype before a DDoS attack took place.

In essence, Krebs believes that the Lelddos gang that attacked Minecraft server companies consisted of Sculti and the owners of ProTraf.

The trail that led Krebs to this conclusion was the tendency of hackers to take credit for their own work.

He spotted similarities in posts by Anna-senpai on Hack Forums with posts he had seen before by Jha, a New Jersey-based entrepreneur who could code from a young age, and specifically, an application by Anna-senpai for membership to the Hack Forum thread.

The trail also led to Jha’s handle Dreadiscool.

Krebs’s investigation involved conversations with a former ProTraf co-worker who claim that Jha admitted responsibility for Mirai.

Jha has denied any connection with Anna-senpai.

The plot thickens. But either way, a terrifying new age for cybersecurity has been born, as the IoT world continues to burgeon.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com