Attacks/Breaches

12/13/2017
04:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Former Rutgers Student, Two Others Plead Guilty to Operating Mirai Botnet

Trio faces up to five years in federal prison and fines of up to $250,000

Two co-founders of a DDoS mitigation firm in the New York City area and another accomplice have pleaded guilty to their role in creating and using the Mirai botnet to launch massive distributed denial-of-service attacks on several large Internet companies in 2016.

Paras Jha, 21 of Fanwood, NJ, Josiah White, 20, of Washington, Pennsylvania, and Dalton Norman, 21, of Metairie, Louisiana, each face up to five years in prison and $250,000 in fines when they come up for sentencing next year.

Jha and Norman have also pleaded guilty to renting out the botnet to other cybercriminals for click-fraud purposes- another crime with a potential five-year sentence and $250,000 fine. The three plea agreements were entered in the US District Court for the District of Alaska Dec. 8 and unsealed Wednesday.

Separately, Jha on Dec. 13 also pleaded guilty in a Trenton federal court to repeatedly crashing the computer network at Rutgers University between 2014 and 2016 while he was computer science major there. Jha, who is out an a $25,000 bond, faces up to 10 years in prison for his attacks on Rutgers, but will likely get less under the terms of his plea agreement.

Raj Samani, chief scientist at McAfee, says developments like this week's plea agreements are important to fighting cybercrime. "Actions such as these send a clear message, whether you are carrying out the campaigns or enabling such activities that there is no such thing as zero risk," he says.

McAfee recently polled ransomware developers on why they were involved in the activity and many saw it as a high-reward, low-risk activity, Samani says. "The growth in the as-a-service economy is one of the main motivating factors on the increase of attacks, and this recent news sends a clear message."

The Mirai botnet was the first large-scale DDoS attack network comprised almost entirely of infected Internet of Things (IoT) devices such as home routers and Web-connected security cameras and DVRs. Among other things, the malware was designed to conduct attacks against a target's entire range of IP addresses.

DDoS attacks that were launched with the Mirai botnet crippled or disrupted services at many large Internet companies in fall 2016. One of them, on Domain Name Services provider Dyn, affected multiple websites including those belonging to CNN, Twitter, Okta, Netfix, and Reddit. Some of the attacks generated DDoS traffic in excess of 1 Tbps, several magnitudes bigger than average DDoS attacks.

In their plea agreement, Jha and White - who operated a small DDoS mitigation firm called ProTraf Solutions – and Norman, admitted to developing the Mirai malware and using it to build a massive botnet of infected devices. During a period between July 2016 and late fall 2016, the Mirai co-authors scanned for and ultimately infected some 300,000 IoT devices worldwide, by exploiting previously known and unknown vulnerabilities in the products.

Between August and September last year, the trio then used the botnet to attack several websites and webhosting companies in the US and elsewhere and sought to profit from it by offering DDoS mitigation services to some of the victims.

Security blog KrebsOnSecurity, which was the first to identify Jha as being one of those potentially behind the attacks, described Jha and White as using the botnet to primarily target the operators of large online gaming servers to try and extort money from them. In addition to using the botnet themselves, the pair actively tried to lease the botnet out to other cybercriminals by among things, advertising it on underground forums.

Cover-Up Attempt

Around Sept. 2016, Jha, White, and Norman released Mirai code into the open in an apparent attempt to create plausible deniability and then took steps to destroy all evidence of their connection to the malware. The public release of the malware online in turn resulted in the creation of several Mirai variants that were then used by others in separate attacks.

In addition to operating the botnet for DDoS purposes, Jha and Norman also sought to profit from Mirai in other ways. Between Dec. 2016 and February 2017, the two individuals infected some 100,000 IoT devices primarily in the US and used them for click fraud purposes. Basically, the two individuals used the infected devices to send high volumes of view requests to webpages with affiliate advertising content to make it appear like real users had clicked on the ads. Jha and Norman made the equivalent of some $180,000 in bitcoin from the click fraud.

Jha's attacks on Rutgers University's computer network, meanwhile, took place between Nov. 2014 and Sept. 2016, and appeared designed to create maximum disruption for the institution. Among other things, the attacks shut down the university's central authentication server and a portal for delivering assignments and assessments, sometimes for multi-day periods.

John Pescatore, director of emerging security threats at the SANS Institute, says that as with the real world, the real deterrent for cybercrime is the possibility of getting caught.

"Whether it is shoplifting, bank robbery, counterfeiting, or ransomware, if the probability of getting caught is seen to be real low, it doesn’t matter if the fine is $5 or $5 million," he says. "In cybercrime, it has been all too easy to get away with. Publicity over those getting caught is important and I think acts as more of a deterrent than does the size of the fine or jail sentence."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable v...
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend pat...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fix...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provide...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially c...