Mirai botnet creator revealed to be rogue DDoS protection provider


If this is true then this Mirai botnet story is a part of quite strange business plan that did not go as planned. Cyber security in 2016/2017 is full of strange stories – some true, some fake and most hard to prove. 


  1. Tomi Engdahl says:

    Who is Anna-Senpai, the Mirai Worm Author?

    On September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks. Roughly a week after that assault, the individual(s) who launched that attack — using the name “Anna-Senpai” — released the source code for Mirai, spawning dozens of copycat attack armies online.

    After months of digging, KrebsOnSecurity is now confident to have uncovered Anna-Senpai’s real-life identity

    While DDoS attacks typically target a single Web site or Internet host, they often result in widespread collateral Internet disruption.

    The first clues to Anna-Senpai’s identity didn’t become clear until I understood that Mirai was just the latest incarnation of an IoT botnet family that has been in development and relatively broad use for nearly three years.

    The malware went by several names, including “Bashlite,” “Gafgyt,” “Qbot,” “Remaiten,” and “Torlus.”
    Infected IoT devices constantly scan the Web for other IoT things to compromise

    In 2014, a group of Internet hooligans operating under the banner “lelddos” very publicly used the code to launch large, sustained attacks that knocked many Web sites offline.

    The most frequent target of the lelddos gang were Web servers used to host Minecraft

    A large, successful Minecraft server with more than a thousand players logging on each day can easily earn the server’s owners upwards of $50,000 per month, mainly from players renting space on the server to build their Minecraft worlds, and purchasing in-game items and special abilities.

    Perhaps unsurprisingly, the top-earning Minecraft servers eventually attracted the attention of ne’er-do-wells and extortionists like the lelddos gang.

    Robert Coelho is vice president of ProxyPipe, Inc., a San Francisco company that specializes in protecting Minecraft servers from attacks.
    “The Minecraft industry is so competitive,” Coelho said. “If you’re a player, and your favorite Minecraft server gets knocked offline, you can switch to another server.”

    In June 2014, ProxyPipe was hit with a 300 gigabit per second DDoS attack launched by lelddos
    Coelho recalled that in mid-2015 his company’s Minecraft customers began coming under attack from a botnet made up of IoT devices infected with Qbot

    Datawagon also courted Minecraft servers as customers, and its servers were hosted on Internet space claimed by yet another Minecraft-focused DDoS protection provider — ProTraf Solutions.

    According to Coelho, ProTraf was trying to woo many of his biggest Minecraft server customers away from ProxyPipe.
    “In 2015, the ProTraf guys hit us offline tons, so a lot of our customers moved over to them,” Coelho said.


    Coelho said he believes the main members of lelddos gang were Sculti and the owners of ProTraf.

    Zuberi told KrebsOnSecurity that he was not involved with lelddos, but he acknowledged that he did hijack ProxyPipe’s Internet address space before moving over to ProTraf.


    At around the same time as the record 620 Gbps attack on KrebsOnSecurity, French Web hosting giant OVH suffered an even larger attack — launched by the very same Mirai botnet used to attack this site. Although this fact has been widely reported in the news media, the reason for the OVH attack may not be so well known.

    According to a tweet from OVH founder and chief technology officer Octave Klaba, the target of that massive attack also was a Minecraft server

    Turns out, in the days following the attack on this site and on OVH, Anna-Sempai had trained his Mirai botnet on Coelho’s ProxyPipe, completely knocking his DDoS mitigation service offline for the better part of a day and causing problems for many popular Minecraft servers.

    Unable to obtain more bandwidth and unwilling to sign an expensive annual contract with a third-party DDoS mitigation firm, Coelho turned to the only other option available to get out from under the attack: Filing abuse complaints with the Internet hosting firms that were responsible for providing connectivity to the control server used to orchestrate the activities of the Mirai botnet.

    “We did it because we had no other options, and because all of our customers were offline,” Coelho said. “Even though no other DDoS mitigation company was able to defend against these attacks [from Mirai], we still needed to defend against it because our customers were starting to move to other providers that attracted fewer attacks.”


    A month before this chat between Coelho and Anna-Senpai, Anna is busy sending abuse complaints to various hosting firms, warning them that they are hosting huge IoT botnet control channels that needed to be shut down. This was clearly just part of an extended campaign by the Mirai botmasters to eliminate other IoT-based DDoS botnets that might compete for the same pool of vulnerable IoT devices.

    “It’s not just about taking it down, it’s about making everyone who is playing on that server crazy mad,” Coelho explained.

    Anna-Senpai told Coelho that paying customers also were the reason for the 620 Gbps attack on KrebsOnSecurity. Two weeks prior to that attack, I published the results of a months-long investigation revealing that “vDOS”



    After months of gathering information about the apparent authors of Mirai, I heard from Ammar Zuberi, once a co-worker of ProTraf President Paras Jha.
    Zuberi told KrebsOnSecurity that Jha admitted he was responsible for both Mirai and the Rutgers DDoS attacks.

    As I noted in Spreading the DDoS Disease and Selling the Cure, Anna-Senpai leaked the Mirai code on a domain name (santasbigcandycane[dot]cx)

    “I don’t think there are enough facts to definitively point the finger at me,” Jha said. “Besides this article, I was pretty much a nobody.”

    Spreading the DDoS Disease and Selling the Cure

  2. Tomi Engdahl says:

    UK police arrested the alleged mastermind of the MIRAI attack on Deutsche Telekom

  3. Tomi Engdahl says:

    Firm Responsible For Mirai-Infected Webcams Hires Software Firm To Make Its Products More Secure

    After seeding the globe with hackable DVRs and webcams, Zhejiang Dahua Technology Co., Ltd. of Hangzhou, China will be working with the U.S. firm Synopsys to “enhance the security of its Internet of Things (IoT) devices and solutions.” Dahua, based in Hangzhou, China said it will with Mountain View based Synopsys to “enhance the security of its Internet of Things (IoT) devices and solutions.” In a joint statement, the companies said Dahua will be adopting secure “software development life cycle (SDLC) and supply chain” practices using Synopsys technologies in an effort to reduce the number of “vulnerabilities that can jeopardize our products,”

    Firm That Made Mirai-Infected Webcams Gets Security Religion

    In-brief: After seeding the globe with hackable DVRs and webcams, Zhejiang Dahua Technology Co., Ltd. of Hangzhou, China will be working with the U.S. firm Synopsys to “enhance the security of its Internet of Things (IoT) devices and solutions.”

    The surveillance camera maker whose name became synonymous with insecure, connected devices after its cameras formed the backbone of the Mirai botnet has hired a top secure software development and testing firm to makes its products less prone to hacking.

    Dahua’s cameras and digital video recorders (DVRs) figured prominently in the Mirai botnet, which launched massive denial of service attacks against websites in Europe and the U.S., including the French web hosting firm OVH, security news site Krebsonsecurity.com and the New Hampshire based managed DNS provider Dyn. Cybercriminals behind the botnet apparently exploited an overflow vulnerability in the web interface for cameras and DVRs to gain access to the underlying Linux operating system and install the Mirai software, according to research by the firm Level3.

  4. Tomi Engdahl says:

    Russell Brandom / The Verge:
    Researchers: October’s Mirai botnet attack on Dyn DNS service was incidental; original target was PlayStation Network name servers used by Dyn

    Angry gamers may have been behind last year’s web-breaking DDoS attack
    Targets included Brazilian Minecraft servers and the PlayStation Network

    Last October, a flood of traffic from the Mirai botnet brought down major portions of the internet, blocking access to Amazon, Netflix, and other services for most of the northeastern US. It was a painful reminder of the fragility of the internet and the danger of insecure Internet of Things devices — but despite the broad scale of the damage, new research presented today at the Usenix conference suggests the attackers may have just been trying to kick people off PlayStation.

    The new report comes from a team of researchers at Google, Cloudflare, Merit Networks, Akamai, and a range of university partners, drawing on data from some of the largest infrastructure networks on the web. Looking at the October attack on DNS provider Dyn, researchers noticed something unusual. All the IP addresses targeted by the attack were nameservers for the PlayStation Network, used by Dyn to connect visitors to the correct IP address. Because of the networked nature of Dyn’s domain registration system, attacking those servers meant attacking the whole system — and when it went down, it brought down access to dozens of other services with it.

    During the same period, the same attackers also went after a handful of gaming services. The researchers also detected attacks on Xbox Live, Nuclear Fallout and Valve Steam servers during the same period, suggesting the group was going after a wide range of gaming systems.

    “This pattern of behavior suggests that the Dyn attack on October 21, 2016 was not solely aimed at Dyn,” the researchers conclude. “The attacker was likely targeting gaming infrastructure that incidentally disrupted service to Dyn’s broader customer base.”

  5. Tomi Engdahl says:

    Three Plead Guilty in Mirai Botnet Attacks

    US officials unveiled criminal charges Wednesday against a former university student and two others in the Mirai botnet attacks which shut down parts of the internet in several countries starting in mid-2016.

    The Justice Department announced plea agreements for Paras Jha, 21 — a former Rutgers University computer science student who acknowledged writing the malware code — and Josiah White, 20, and Dalton Norman, 21, who helped profit from the attacks.

    In documents unsealed Wednesday, Jha admitted writing the code for the botnet which harnessed more than 100,000 “internet of things” (IoT) devices such as cameras, light bulbs and appliances to launch the attacks.

    By commanding an army of bots — or computers under control of the attackers — the malware shut down networks and websites in the United States, Germany, Liberia and elsewhere.

    The malware was used to make money through “click fraud,” a scheme that makes it appear that a real user has clicked on an advertisement for the purpose of artificially generating revenue, according to officials.

    The three generated some $180,000 from the scheme in bitcoin, Justice officials added.

  6. Tomi Engdahl says:

    Mirai-makers plead guilty, Hajime still lurks in shadows

    Riot doesn’t go in for New Year predictions much, but we think Hajime will be a name on most security reporters’ lips at some point in 2018 – a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things. Mirai itself has made the news this week, because its apparent author has now plead guilty to such accusations, leveled against him by the FBI. However, this isn’t the end for the now open-sourced Mirai.

  7. Tomi Engdahl says:


    Pääsyylliseksi tunnistettiin Rutgersin yliopiston opiskelija Paras Jha, joka oli ladannut Mirai-lähdekoodiin Githubiin. Hänet tuomittiin 2500 tunnin yhdyskuntapalveluun. Palvelupaikka Jhalle on FBI ja tehtävänä jahdata hakkereita ja tunnistaa turvallisuusaukkoja.

  8. Tomi Engdahl says:

    Mirai Co-Author Gets 6 Months Confinement, $8.6M in Fines for Rutgers Attacks

    The convicted co-author of the highly disruptive Mirai botnet malware strain has been sentenced to 2,500 hours of community service, six months home confinement, and ordered to pay $8.6 million in restitution for repeatedly using Mirai to take down Internet services at Rutgers University, his former alma mater.

    Jha told investigators he carried out the attacks not for profit but purely for personal, juvenile reasons: “He reveled in the uproar caused by the first attack, which he launched to delay upper-classmen registration for an advanced computer science class he wanted to take,” the government’s sentencing memo stated. “The second attack was launched to delay his calculus exam. The last two attacks were motivated in part by the publicity and outrage” his previous attacks had generated. Jha would later drop out of Rutgers after struggling academically.


Leave a Comment

Your email address will not be published. Required fields are marked *