Three men have pleaded guilty in U.S. federal court for their role creating and renting out the Mirai botnet, which launched damaging denial of service attacks against the U.S. firm Dyn and other online properties, the website Krebs on Security reports.
Josiah White, Paras Jha and Dalton Norman entered guilty pleas in US District Court for the District of Alaska on November 28 and 29, acknowledging violating the U.S. Computer Fraud and Abuse Act by creating Mirai and then using it to conduct denial of service attacks. The three pleaded guilty in exchange for leniency in sentencing.
Jha and White (aka “litespeed”) were affiliated with the firm ProTraf Solutions, a denial of service for hire firm that courted the business of Minecraft and other game hosting providers. Both were initially identified by journalist Brian Krebs in a January, 2017 expose on the origins of the Mirai botnet. According to Krebs, both had been members of an online DDoS crew known as lelddos that had been compromising devices and assembling botnets using Mirai predecessor malware like Bashlite (aka Qbot). Jha has also pleaded guilty to a large denial of service attack against the network of Rutgers University, where he was enrolled as a Computer Science student at the time.
The pleas filed by the three describe a months long campaign to compromise hundreds of thousands of Internet connected devices, infect them with malware capable of carrying out denial of service attacks, and then launching attacks and renting their botnet to other cyber criminals for the same purpose. White is alleged to have created a number of the components used by Mirai, including an Internet scanner that located vulnerable devices and managing the Mirai command and control servers. (Read his plea here in PDF form.) Jha is called out for both directing the creation and use of the Mirai botnet in denial of service attacks, for setting up infrastructure used to host the botnet and for demanding payment in exchange for halting attacks. (Read his plea here in PDF form.) Norman is described as working to identify vulnerable devices and write coded needed to infect them. He also refined the Mirai code to handle “a large number of bots” and helping support customers who were using Mirai to carry out criminal denial of service attacks. (Read his plea here in PDF form.)
Krebs site was among a handful targeted by Mirai in a string of attacks in October, 2016. The attack, which pushed the Krebsonsecurity web site off of Akamai’s infrastructure, was supposedly in retaliation for an article that detailed the stressor and DDoS for hire market. The attacks also crippled managed DNS provider Dyn, now part of Oracle Corp., which counts some of the Internet’s largest sites as customers including PayPal, Twitter, Reddit, Amazon, Netflix, and Spotify. The attacks were costly for Dyn. More than 14,000 Internet domains – or about 8% of its customer base – stopped using the company’s managed DNS services offered by the New Hampshire based company following the attack on the company.
Though charged with creating Mirai, the three men are not charged with directing the attacks on Dyn and Krebsonsecurity and the French hosting firm OVH. Details on that investigation have not been released.
The three men face up to 5 years in prison and a $250,000 fine, according to court documents.