Mirai: Trio confesses to creating the world's most powerful DDoS botnet

DDoS Attack on screen
(Image credit: Shutterstock)

Three men have admitted to being the authors of the devastating Mirai botnet, which was used to launch a DDoS attack that took large parts of the internet offline last year before being widely shared with cyber criminals.

Paras Jha, 21, of Fanwood, New Jersey; Josiah White, 20, of Washington, Pennsylvania; and Dalton Norman, 21, of Metairie, Louisiana, all pleaded guilty to operating Mirai last week, in a court case unsealed by the US Department of Justice yesterday.

The trio built the botnet over the summer and autumn of 2016, targeting IoT devices like routers and wireless cameras, and targeting device vulnerabilities that would let Mirai enslave connected gadgets.

Mirai was behind one of the most effective DDoS attacks ever, hammering DNS provider Dyn with access requests from tens of millions of different IP addresses to force it offline and thereby bring down Github, Reddit, Twitter, Spotify and other huge companies that rely on Dyn to route users to their sites.

The trio conducted multiple DDoS attacks using the Mirai software in 2016, but the FBI doesn't believe they were behind the Dyn attack - they ended their involvement with Mirai in the autumn, when Jha posted the source code on a criminal forum to let other hackers use it to launch their own attacks.

Under the pseudonym of Anna-senpai, Jha wrote on the forum: "When I first go in DDoS industry, I wasn't planning on staying in it long. I made my money, there're lots of eyes looking at IOT now, so it's time to GTFO."

This came shortly after an attack on KrebsOnSecurity, security journalist Brian Krebs' blog, that was so big his pro-bono DDoS protection provider Akamai dropped him as a customer due to the cost of protecting his site.

"After Kreb [sic] DDoS, ISPs been slowly shutting downs and cleaning up their act," Jha wrote on the criminal forum, warning that such a public attack had seen ISPs grow more wary. "Today, max pull is about 300k bots, and dropping."

That was still large enough to pull down Dyn, however. Open sourcing Mirai also led to 15,194 attacks, according to a paper assessing the impact of the botnet.

Jha and Norman also pleaded guilty to using their pool of more than 100,000 connected devices to launch a 'clickfraud' campaign between December 2016 and February this year, generating false advertising clicks online.

Mirai wasn't Jha's first involvement with cyber attacks however - he pleaded guilty yesterday to a series of attacks on Rutgers University between 2014 and 2016, shutting down the university's central authentication server that staff and students used to deliver assignments and assessments.

"The Mirai and Clickfraud botnet schemes are powerful reminders that as we continue on a path of a more interconnected world, we must guard against the threats posed by cybercriminals that can quickly weaponize technological developments to cause vast and varied types of harm," said the Justice Department's acting assistant attorney John Cronan.

The FBI's assistant director, Scott Smith, added: "These cases illustrate how the FBI works tirelessly against the actions of criminals who use malicious code to cause widespread damage and disruptions to the general population.

"The FBI is dedicated to working with its domestic and international partners to aggressively pursue these individuals and bring justice to the victims."

Jha, White and Norman are yet to be sentenced.