The authors of the infamous Mirai botnet – used to launch record-breaking Distributed Denial of Service (DDoS) attacks last year that knocked major segments of the internet offline – pleaded guilty to federal cybercrime charges last Friday, 8 December.
Plea agreements with Paras Jha and Josiah White were unsealed Tuesday by an Alaska court, which had indicted the two on 5 December. Jha, 21, from Fanwood, N.J. and White, 20, of Washington, Pennsylvania, were cofounders of Protraf Solutions LLC, whose major sales pitch was – wait for it – mitigation of large-scale DDoS attacks.
Jha, a computer science student at Rutgers University, also pleaded guilty in New Jersey to a series of DDoS attacks against the university between November 2014 and September 2016 that effectively shut down the its central authentication system, sometimes for days at a time.
All of which has to amount to some measure of vindication for security blogger Brian Krebs, whose site was taken offline by a massive Mirai DDoS attack in September 2016, but who had tracked down Jha and White by January – 10 months before the law officially caught up with them – naming them in a lengthy post about his investigation of the attack.
As Krebs put it in a post on Tuesday, Jha and White selling DDoS mitigation services was:
…like firemen getting paid to put out the fires they started, Jha and White would target organizations with DDoS attacks and then either extort them for money to call off the attacks, or try to sell those companies services they claimed could uniquely help fend off the attacks.
A DDoS attack, as Naked Security’s Paul Ducklin described it last year, occurs when, “thousands of computers, or perhaps even millions of them, gang up on an online service they don’t like and all deliberately start using it at the same time.”
Those thousands or millions of computers are essentially “zombies” under the control of the attacker, and block legitimate traffic from getting through.
In legal terms, Jha pleaded guilty to a single count of agreeing with at least one other person to cause:
…intentional damage to a protected computer, to wit knowingly causing the transmission of a program, code, or command to a computer with the intention of impairing without authorization the integrity or availability of data, a program, system, or information; and the computer was used in or affected interstate or foreign commerce or communication.
In less legal terms, he admitted to writing and implementing the code that led to the Mirai malware ensnaring more than 300,000 devices and launching multiple DDoS attacks – some of them in Alaska.
Jha and White also admitted to renting the botnet out to third parties and launching a protection racket – using it to extort money from hosting companies in exchange for not being targeted.
White pleaded guilty to a similar charge, but his role in the scheme, spelled out in his plea agreement, was to create the scanner portion of the Mirai code, which would scan the internet for vulnerable devices to hijack.
As part of his agreement, White agreed to give up 33 Bitcoin, “which are the proceeds of criminal activity.” With the current value of a single Bitcoin now at $16,700, that amounts to a forfeiture of $551,100. Jha agreed to forfeit 13 Bitcoin – a $217,100 value today.
Jha, along with a collaborator named Dalton Norman, 21, of Metairie, Louisiana, also pleaded guilty to click fraud – a scheme in which a bot is used to make it appear that a real user has “clicked” on an advertisement. Since advertisers pay for the number of times their page is viewed, that generates fraudulent profits for the hosting website.
The two admitted making about 200 Bitcoin through the click fraud – which would now be worth $3.34m.
Krebs wrote that Jha’s and White’s most popular targets were online gaming servers, particularly those connected with the popular online game Minecraft.
But he and Minecraft servers were not the only high-profile victims. Just days after the attack on his site, the Mirai authors, who were going by the name “Anna Senpai,” posted the source code publicly online. According to Jha’s plea agreement, that was done, “in order to create plausible deniability if law enforcement found the code on computers controlled by Jha or his co-conspirators.”
That public posting, not surprisingly, led to the creation of multiple Mirai botnets, the most damaging of which was against the New Hampshire-based internet infrastructure company Dyn, which in late October 2016 took down major players like Twitter, GitHub, PlayStation, Netflix, Reddit and a host of other sites for much of that day.
And new strains of Mirai are continually being reported, although there have not been any major recent attacks.
For creating all this chaos, damage and expense – Mirai ensnared more than 100,000 IP addresses and the costs of the DDoS attacks by its various strains are estimated at well over $100m – Jha and White face maximum statutory penalties of five years in prison; fines of $250,000 or “twice the pecuniary gain or loss of the offense”; and supervised release of three years.
But the agreement also stipulates that the defendants can’t withdraw from the agreement even if “the Court rejects the parties’ sentencing recommendations at the sentencing hearing.” It also states that “the proper restitution amount will be determined at sentencing.”