From Silicon To Software


Mirai IoT Botnet Co-Creators Plead Guilty

For their involvement in creating and distributing the Mirai IoT-based botnet, Paras Jha, Josiah White, and Dalton Norman each admitted on Wednesday to one count of conspiracy in plea agreement in Alaska. A botnet is traditionally defined as a network of compromised computers that can be remotely controlled to mount large-scale attacks such as a distributed denial-of-service (DDoS) attack on a website. Mirai was the first botnet to compromise and remotely control internet of things (IoT) devices in a large-scale attack on internet services.

In late October 2016, Mirai accessed thousands of compromised surveillance cameras worldwide to stage a DDoS attack against Dyn, a DNS resolution company with clients such as Netflix and CNN. The devices were told to access Dyn over and over, crowding out legitimate requests for access. The result was that for several hours, customers on the East and West Coasts of the United States were unable to access these popular websites. It was also the first time a botnet based on IoT devices had been used in a large-scale attack with tangible dollar losses.

We now know that these three college-aged online gamers, warring over turf, launched the Mirai botnet.

Back in October 2016, the Mirai botnet’s author, using the online nickname Anna Senpai, which means “upper classman” in Japanese, published the source code online. Often, publishing malware source is done to obfuscate the true author. As more and more people make variations to the code, very few of the original fingerprints are left to identify the author(s). In the case of Mirai, the source code actually pointed investigators in the right direction.

Shortly after the source code appeared security reporter Brian Krebs and others noticed some similarities in the code to other botnet code used by warring gamers online. For instance, Minecraft customers had been coming under attack as early as 2015 from a botnet made up of IoT devices. These attacks, however, were limited to the game.

One such Minecraft botnet, Qbot, along with other DDoS-enabling botnets was created by Christopher “CJ” Sculti, Jr. He reached out to Krebs shortly before the Mirai outbreak, noticing the similarity in construction to something he’d seen before. Botnets such as Qbot are designed to deny service to competing players by slowing down their progress in the game by overloading their server. Of course, if someone is using malware to slow a player down, there must be a market for software that protects a player as well.

Krebs bases much of his January 2017 article on the claims of Robert Coelho, vice president of ProxyPipe, Inc., a San Francisco company that specializes in protecting Minecraft servers from attacks. Coelho and Sculti are known to each other and have battled each other for years. But, according to Krebs, both agreed the man behind Anna Senpai would be Paras Jha, a 21-year old president of a company that also helps people defeat Qbot and other DDoS attack botnets.

As further proof, Krebs identified in January that Rutgers University had problems with a series of DDoS attacks on its networks from 2014 through 2016, during the time that Jha was a student there. On Wednesday, Jha also pleaded guilty in a New Jersey federal court. In its filing the university said its networks were hit often during high-stress times such as mid-terms or final exams.

The Mirai case was heard in Anchorage because internet-connected devices in Alaska were affected by the malware.

Also this week, the author of Brickerbot announced his retirement. Brickerbot is “helpful malware” in that it identifies and shuts down vulnerable IoT devices before they can be infected with “harmful malware” such as Mirai. The author, using the online nickname Janitor, told BeepingComputer that more than 10 million devices had been successfully “bricked,” but this positive statement leaves open many ethical questions. For one thing, the U.S. Computer Abuse Act states that unauthorized users shall not make changes on a computer system. Brickerbot did just that.

In his defense, Janitor told BleepingComputer:

“I however believe that people, organizations and governments aren’t doing enough nor moving quickly enough and we’re running out of time. Because of this I’ve decided to make a public appeal regarding the severity of the situation. Taking credit for all the carnage of the past year has serious downsides for me and my mission. […] However I also recognize that if I keep doing what I’m doing then people of influence may simply perceive the IoT security disaster as less urgent when in reality they should consider it an emergency requiring immediate action.”

A similar “helpful” malware, Hajime, also targeted Mirai in late 2016. Hajime, however, only affects the device’s RAM memory, so the effect is temporary. Should the IoT device be rebooted, ports 23, 7547, 5555, and 5358 open again and the device becomes vulnerable to Mirai and other IoT-focused malware. The link? Hajime also has bits of Qbot code.

As mentioned, publishing the source code online allows others to create variations. Since Hajime there have been several new strains of the Mirai botnet, including one that has been estimated to use 100,000 compromised home routers. This new variant of the Mirai botnet is much more powerful, according to Ars Technica. Researchers say this particular strain remains dormant – for now.

Similarly, the botnet Reaper or IoTroop, also based on Mirai, has infected nearly two million devices and is growing at the rate of 10,000 new devices per day. These IoT devices include wireless IP cameras and routers manufactured by the likes of Avtech, D-Link, GoAhead, Linksys, MikroTik, Synology, and TP-Link. Again, this botnet remains largely dormant.

The arrest of Jha and others, however, will not stop the threat to IoT devices. Fortunately, there are steps that everyone can take.

  • Change default passwords on your IoT devices
  • Update your IoT devices with security and firmware updates when available
  • Disable features such as Universal Plug and Play (UPnP) on devices

The first two actions need to be taken with every device. Just changing the default password won’t protect the device from vulnerabilities, so vigilance is necessary. Turning off unneeded features is a basic network security option that also should be applied to standalone IoT devices. For example, if the device doesn’t need Bluetooth, why enable it?