You may remember the botnet Mirai. It gained serious notoriety in mid-October of last year, after an incredibly massive Distributed Denial-of-Service (DDoS) attack blocked most users on the Eastern Seaboard from accessing sites like Reddit, Netflix, Twitter, and many others for half a day, thanks to knocking domain-name system manager Dyn offline. The Mirai botnet DDoS attack was large enough that James Clapper, the director of National Intelligence, had to go on record as saying the attack was from a “non-state actor” — that is to say, it probably wasn’t Russia or China doing it.
But before Mirai took down Dyn, it was used to attack the blog of popular internet-security reporter Brian Krebs, who runs the blog Krebs on Security. The attack, which at the time was the largest DDoS attack ever seen, slamming the site with 620 gigabits of data per second (or more than double the previous record), was Mirai’s debut on the world stage. It would follow up this performance by hitting a French web-hosting company with 1 terabit of data per second — still the current record for the largest DDoS attack ever.
Four months later, Brian Krebs has published what, to my mind, seems like pretty convincing proof of the identity of the person behind the Mirai botnet: Paras Jha, a Rutgers student and, per his LinkedIn profile, president at ProTraf Solutions “a DDoS mitigation firm that has a proven track record in mitigating DDoS attacks that competitors cannot.”
Krebs’s investigation is over 8,000 words and goes heavy into detail as to why Jha is the likely creator of Mirai (as well he should — he’s publicly accusing someone of creating a botnet the FBI and DHS have taken a very active interest in). He’s even provided a glossary to help readers follow along.
The story has enough twists for a decent John le Carré novel and really, just go read it because it’s a fascinating look at the petty squabbles and internecine warfare of hackers and script kiddies, but here’s the high-level version. Shortly after the Mirai attacks, a user named “Anna Senpai” released the source code for Mirai on a popular hacker forum, saying that the security industry was catching up and Mirai wasn’t as effective as it once was. So, “Anna-senpai” can pretty definitely be said to be the creator of Mirai.
From there, Krebs begins to link Anna-senpai back to Jha. It starts, as about 75 percent of internet bullshit does, around online gaming — in this case Minecraft. (You’ll also be shocked to learn that anime plays a part as well.) People who ran popular private servers could make money from doing so — and were also frequent targets of DDoS attacks from competitors. One of the companies offering to protect Minecraft servers — and sometimes taking down Minecraft servers protected by their competitors? A company associated with Jha’s ProTraf.
Krebs stumbled across Jha’s LinkedIn profile shortly after, which says he can develop in “C#, Java, Golang, C, C++, PHP, x86 [and] ASM.” Krebs finds an application Anna-senpai posted to a hacker forum, asking for membership in a hacking group, which lists his programming languages as “ASM, C, Go, Java, C#, and PHP” — virtually the exact same skill set.
Krebs then finds a vanity domain Jha’s father bought for him, parasjha.com, where Jha says he codes under the handle “dreadiscool.” Krebs then goes down that rabbit hole to link “dreadiscool” to “Anna-senpai” and then links those other accounts like “jorgemichaels” and “OG_Richard_Stallman,” who gained reputations for threatening to DDoS web hosting companies unless they paid up.
OG_Richard_Stallman in particular gained a reputation for DDoSing Rutgers University over and over, threatening to not stop until they hired a DDoS-mitigating service (much like the one Rutger’s student Jha is the president of). At one point, he even gives a Reddit AMA about his exploits, and gives a Q&A with a local New Jersey blogger.
You can see the problem here: The creator of Mirai has the bad habit of bragging, and can’t stop reaching out to various people to gloat about his abilities to bring them to their knees. It all builds up until Krebs finally gets confirmation from one Ammar Zuberi, a friend of Paras Jha, who tells Krebs, “When I saw that the Mirai code had been leaked on that domain at Namecentral, I straight up asked Paras at that point, ‘Was this you?,’ and he smiled and said ‘yep.’”
Krebs has reached out to various people and institutions, including the FBI, Jha, and Rutgers, for comment. But you’ve got to imagine that Krebs, whose site was taken down for four days in a Mirai DDoS attack, is feeling pretty happy this evening.