Report: Alleged Mirai Creator Tried to Extort Web Hosts

Brought to you by The WHIR

After hundreds of hours of research, security journalist Brian Krebs has unmasked the identity of the alleged individual behind the Mirai botnet, the malware that knocked Krebs’ website offline for days in September, and, perhaps more famously, was used to take down Dyn in October.

In more than 8,000 words, Krebs goes into detail about how he uncovered who he believes to be the author of the Mirai botnet, weaving together details, names and conversations in an effort to reveal the true identity of “Anna-Senpai”.

Paras Jha, a 20-year-old Rutgers student and president of DDoS mitigation provider ProTraf Solutions, is believed to be Mirai’s author, according to Krebs’ research.

“After first reading Jha’s LinkedIn resume, I was haunted by the nagging feeling that I’d seen this rather unique combination of computer language skills somewhere else online,” Krebs writes. “Then it dawned on me: The mix of programming skills that Jha listed in his LinkedIn profile is remarkably similar to the skills listed on Hackforums by none other than Mirai’s author — Anna-Senpai.”

Krebs reached out to Jha, who denies the allegations, and said that he did not write Mirai and was not involved in attacking Rutgers, which was hit by 6 separate DDoS attacks last year.

Web Hosting Targets

In October, a Web Hosting Talk member asked for feedback about what to do in response a ransom notice that it had received. The sender? Anna-Senpai.

Many of the responses on the forum thread said that the ransom seemed like an empty threat. It seems Anna-Senpai didn’t act on this particular threat (the poster said nothing happened after the 96-hour period), but here’s the ransom note that the hosting provider received, posted as-is full below:

——- Forwarded Message ——–

Subject: DDOS ATTACK ON YOU

Date: Mon, 17 Oct 2016 23:51:54 -0000

From: [email protected]

To: xxxx IMPORTANT!

Redirect this e-mail to your CEO/CFO/any kind of such person

Aloha! My name is Anna-senpai. Recently i?ve decided to leave DDoS industry and released the source code of my /mirai botnet/ (google if you aren?t familiar with this) for free to everyone. I had my rest and..Now I am returning to DDoS insdustry. Last months i?ve worked on the code improvement and empowering my new botnet with a vulnerabilities in AvTech products. So. Your network will be DDoS-ed in 96 hours if you will not pay 2 Bitcoins at xxxx address. If you will not pay in time, DDoS attack will start, your web-services will go down permanently. After that, price to stop will be increased to 5 BTC with further increment of 5 BTC for every day of attack. NOTE, i?m not joking. My attack are extremely powerful now – now average 700-800Gbps, sometimes over 1 Tbps per second. It will pass any remote protections, no current protection systems can help. Once payment is done, send me an e-mail with the number of the wallet from you have paid, so I can identify you. Make right decision.

The Web Hosting Talk member was not the only web host to have heard from Ann-Senpai.

Francisco Dias, owner of Frantech ISP, was attacked by Anna-Senpai and Mirai in mid-September, except this time “Anna” was going by the name OG_Richard_Stallman.

“This guy using the Richard Stallman name added me on Skype and basically said ‘I’m going to knock all of your [Internet addresses] offline until you pay me’,” Dias told Krebs. “He told me the up front cost to stop the attack was 10 bitcoins [~USD $5,000 at the time], and if I didn’t pay within four hours after the attack started the fee would double to 20 bitcoins.”

“He was hitting us so hard with Mirai that he was dropping large parts of Hurricane Electric and causing problems at their Los Angeles point of presence,” Dias said. “I basically threw everything behind [DDoS mitigation provider] Voxility, and eventually Stallman buggered off.”

Minecraft

While the Mirai worm didn’t become a household name until the October attack on Dyn, Krebs explains that earlier versions had many different names which corresponded to a variant that included new improvements over time.

Krebs says that in 2014, a group of hackers operating as “lelddos” publicly used the code to launch “large, sustained attacks.” The most common targets of the group were web servers used to host Minecraft.

Why Minecraft? At any given time, Krebs says, there are over a million people playing it online, and those running the servers can make big bucks doing so.

“A large, successful Minecraft server with more than a thousand players logging on each day can easily earn the server’s owners upwards of $50,000 per month, mainly from players renting space on the server to build their Minecraft worlds, and purchasing in-game items and special abilities,” Krebs says. “Perhaps unsurprisingly, the top-earning Minecraft servers eventually attracted the attention of ne’er-do-wells and extortionists like the lelddos gang. Lelddos would launch a huge DDoS attack against a Minecraft server, knowing that the targeted Minecraft server owner was likely losing thousands of dollars for each day his gaming channel remained offline.”

According to Krebs, in 2015, ProTraf Solutions (the company Jha works for as president) was trying to woo Minecraft server customers away from its competitor ProxyPipe. As part of that effort, ProTraf disabled ProxyPipe employees’ Skype accounts (a main artery of support for its customers) and then the company’s servers were hit by a massive DDoS attack. It seemed to work – within a few days, many of its clients had moved to Minecraft servers run by ProTraf.

Kreb says that last year, around the same time as the attack on his website, French hosting provider OVH suffered a massive DDoS attack. According to OVH founder and CTO Octave Klaba, the target of that massive attack was also a Minecraft server, Krebs says.

We want to know: Are you doing anything differently to protect against DDoS attacks after the Mirai botnet?