Mirai botnet creator revealed to be rogue DDoS protection provider

http://www.ibtimes.co.uk/mirai-botnet-creator-anna-senpai-unmasked-ddos-protection-service-provider-gone-rogue-1601935

If this is true then this Mirai botnet story is a part of quite strange business plan that did not go as planned. Cyber security in 2016/2017 is full of strange stories – some true, some fake and most hard to prove. 

4 Comments

  1. Tomi Engdahl says:

    Who is Anna-Senpai, the Mirai Worm Author?
    http://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

    On September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks. Roughly a week after that assault, the individual(s) who launched that attack — using the name “Anna-Senpai” — released the source code for Mirai, spawning dozens of copycat attack armies online.

    After months of digging, KrebsOnSecurity is now confident to have uncovered Anna-Senpai’s real-life identity

    While DDoS attacks typically target a single Web site or Internet host, they often result in widespread collateral Internet disruption.

    The first clues to Anna-Senpai’s identity didn’t become clear until I understood that Mirai was just the latest incarnation of an IoT botnet family that has been in development and relatively broad use for nearly three years.

    The malware went by several names, including “Bashlite,” “Gafgyt,” “Qbot,” “Remaiten,” and “Torlus.”
    Infected IoT devices constantly scan the Web for other IoT things to compromise

    In 2014, a group of Internet hooligans operating under the banner “lelddos” very publicly used the code to launch large, sustained attacks that knocked many Web sites offline.

    The most frequent target of the lelddos gang were Web servers used to host Minecraft

    A large, successful Minecraft server with more than a thousand players logging on each day can easily earn the server’s owners upwards of $50,000 per month, mainly from players renting space on the server to build their Minecraft worlds, and purchasing in-game items and special abilities.

    Perhaps unsurprisingly, the top-earning Minecraft servers eventually attracted the attention of ne’er-do-wells and extortionists like the lelddos gang.

    Robert Coelho is vice president of ProxyPipe, Inc., a San Francisco company that specializes in protecting Minecraft servers from attacks.
    “The Minecraft industry is so competitive,” Coelho said. “If you’re a player, and your favorite Minecraft server gets knocked offline, you can switch to another server.”

    In June 2014, ProxyPipe was hit with a 300 gigabit per second DDoS attack launched by lelddos
    Coelho recalled that in mid-2015 his company’s Minecraft customers began coming under attack from a botnet made up of IoT devices infected with Qbot

    Datawagon also courted Minecraft servers as customers, and its servers were hosted on Internet space claimed by yet another Minecraft-focused DDoS protection provider — ProTraf Solutions.

    According to Coelho, ProTraf was trying to woo many of his biggest Minecraft server customers away from ProxyPipe.
    “In 2015, the ProTraf guys hit us offline tons, so a lot of our customers moved over to them,” Coelho said.

    WHO IS LELDDOS?

    Coelho said he believes the main members of lelddos gang were Sculti and the owners of ProTraf.

    Zuberi told KrebsOnSecurity that he was not involved with lelddos, but he acknowledged that he did hijack ProxyPipe’s Internet address space before moving over to ProTraf.

    A CHAT WITH ANNA-SENPAI

    At around the same time as the record 620 Gbps attack on KrebsOnSecurity, French Web hosting giant OVH suffered an even larger attack — launched by the very same Mirai botnet used to attack this site. Although this fact has been widely reported in the news media, the reason for the OVH attack may not be so well known.

    According to a tweet from OVH founder and chief technology officer Octave Klaba, the target of that massive attack also was a Minecraft server

    Turns out, in the days following the attack on this site and on OVH, Anna-Sempai had trained his Mirai botnet on Coelho’s ProxyPipe, completely knocking his DDoS mitigation service offline for the better part of a day and causing problems for many popular Minecraft servers.

    Unable to obtain more bandwidth and unwilling to sign an expensive annual contract with a third-party DDoS mitigation firm, Coelho turned to the only other option available to get out from under the attack: Filing abuse complaints with the Internet hosting firms that were responsible for providing connectivity to the control server used to orchestrate the activities of the Mirai botnet.

    “We did it because we had no other options, and because all of our customers were offline,” Coelho said. “Even though no other DDoS mitigation company was able to defend against these attacks [from Mirai], we still needed to defend against it because our customers were starting to move to other providers that attracted fewer attacks.”

    NOTICE AND TAKEDOWN

    A month before this chat between Coelho and Anna-Senpai, Anna is busy sending abuse complaints to various hosting firms, warning them that they are hosting huge IoT botnet control channels that needed to be shut down. This was clearly just part of an extended campaign by the Mirai botmasters to eliminate other IoT-based DDoS botnets that might compete for the same pool of vulnerable IoT devices.

    “It’s not just about taking it down, it’s about making everyone who is playing on that server crazy mad,” Coelho explained.

    Anna-Senpai told Coelho that paying customers also were the reason for the 620 Gbps attack on KrebsOnSecurity. Two weeks prior to that attack, I published the results of a months-long investigation revealing that “vDOS”

    DREADISCOOL = ANNA = JHA?

    DDOS CONFESSIONS

    After months of gathering information about the apparent authors of Mirai, I heard from Ammar Zuberi, once a co-worker of ProTraf President Paras Jha.
    Zuberi told KrebsOnSecurity that Jha admitted he was responsible for both Mirai and the Rutgers DDoS attacks.

    As I noted in Spreading the DDoS Disease and Selling the Cure, Anna-Senpai leaked the Mirai code on a domain name (santasbigcandycane[dot]cx)

    “I don’t think there are enough facts to definitively point the finger at me,” Jha said. “Besides this article, I was pretty much a nobody.”

    Spreading the DDoS Disease and Selling the Cure
    https://krebsonsecurity.com/2016/10/spreading-the-ddos-disease-and-selling-the-cure/

    Reply
  2. Tomi Engdahl says:

    UK police arrested the alleged mastermind of the MIRAI attack on Deutsche Telekom
    http://securityaffairs.co/wordpress/56604/cyber-crime/mirai-attack-deutsche-telekom.html

    Reply
  3. Tomi Engdahl says:

    Firm Responsible For Mirai-Infected Webcams Hires Software Firm To Make Its Products More Secure
    https://it.slashdot.org/story/17/06/16/2151221/firm-responsible-for-mirai-infected-webcams-hires-software-firm-to-make-its-products-more-secure

    After seeding the globe with hackable DVRs and webcams, Zhejiang Dahua Technology Co., Ltd. of Hangzhou, China will be working with the U.S. firm Synopsys to “enhance the security of its Internet of Things (IoT) devices and solutions.” Dahua, based in Hangzhou, China said it will with Mountain View based Synopsys to “enhance the security of its Internet of Things (IoT) devices and solutions.” In a joint statement, the companies said Dahua will be adopting secure “software development life cycle (SDLC) and supply chain” practices using Synopsys technologies in an effort to reduce the number of “vulnerabilities that can jeopardize our products,”

    Firm That Made Mirai-Infected Webcams Gets Security Religion
    https://securityledger.com/2017/06/firm-that-made-mirai-infected-webcams-gets-security-religion/

    In-brief: After seeding the globe with hackable DVRs and webcams, Zhejiang Dahua Technology Co., Ltd. of Hangzhou, China will be working with the U.S. firm Synopsys to “enhance the security of its Internet of Things (IoT) devices and solutions.”

    The surveillance camera maker whose name became synonymous with insecure, connected devices after its cameras formed the backbone of the Mirai botnet has hired a top secure software development and testing firm to makes its products less prone to hacking.

    Dahua’s cameras and digital video recorders (DVRs) figured prominently in the Mirai botnet, which launched massive denial of service attacks against websites in Europe and the U.S., including the French web hosting firm OVH, security news site Krebsonsecurity.com and the New Hampshire based managed DNS provider Dyn. Cybercriminals behind the botnet apparently exploited an overflow vulnerability in the web interface for cameras and DVRs to gain access to the underlying Linux operating system and install the Mirai software, according to research by the firm Level3.

    Reply
  4. Tomi Engdahl says:

    Russell Brandom / The Verge:
    Researchers: October’s Mirai botnet attack on Dyn DNS service was incidental; original target was PlayStation Network name servers used by Dyn

    Angry gamers may have been behind last year’s web-breaking DDoS attack
    Targets included Brazilian Minecraft servers and the PlayStation Network
    https://www.theverge.com/2017/8/18/16170536/mirai-ddos-playstation-network-dyn-internet-angry-gamers

    Last October, a flood of traffic from the Mirai botnet brought down major portions of the internet, blocking access to Amazon, Netflix, and other services for most of the northeastern US. It was a painful reminder of the fragility of the internet and the danger of insecure Internet of Things devices — but despite the broad scale of the damage, new research presented today at the Usenix conference suggests the attackers may have just been trying to kick people off PlayStation.

    The new report comes from a team of researchers at Google, Cloudflare, Merit Networks, Akamai, and a range of university partners, drawing on data from some of the largest infrastructure networks on the web. Looking at the October attack on DNS provider Dyn, researchers noticed something unusual. All the IP addresses targeted by the attack were nameservers for the PlayStation Network, used by Dyn to connect visitors to the correct IP address. Because of the networked nature of Dyn’s domain registration system, attacking those servers meant attacking the whole system — and when it went down, it brought down access to dozens of other services with it.

    During the same period, the same attackers also went after a handful of gaming services. The researchers also detected attacks on Xbox Live, Nuclear Fallout and Valve Steam servers during the same period, suggesting the group was going after a wide range of gaming systems.

    “This pattern of behavior suggests that the Dyn attack on October 21, 2016 was not solely aimed at Dyn,” the researchers conclude. “The attacker was likely targeting gaming infrastructure that incidentally disrupted service to Dyn’s broader customer base.”

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*