Mirai botnet creator unmasked: US university student named by security blogger Brian Krebs

Mirai malware evolved to "promote" a Minecraft protection racket, claims security blogger Brian Krebs

A student studying at Rutgers University in the US, and running a distributed denial of service (DDoS) protection business on the side, has been fingered as the individual behind the Mirai Internet-of-Things (IoT) botnet is a student studying at Rutgers University in the US.

The disclosure was made by security blogger Brian Krebs after conducting an in-depth investigation and finding out that Mirai had been developed and deployed over the past three years or so - it didn't suddenly emerge last year.

Krebs believes that Mirai has been used a number of times in connection with what looks suspiciously likes an online protection racket: companies running, for example, Minecraft servers being offered distributed denial of service (DDoS) protection, on the one hand, just before being taken offline in massive DDoS attacks on the other.

At the same time, Krebs claims that the "services" of the student behind Mirai have been deployed by operators of Minecraft servers to take rival services offline in order to drive players to their servers.

Running a Minecraft server can be a lucrative business, with companies making big profits from renting space on their servers to gamers. However, if the servers go down for any length of time or prove unreliable the players quickly migrate elsewhere.

One of Krebs's key contacts was Robert Coelho, vice president of a ProxyPipe, a legitimate San Francisco-based company that specialises in protecting Minecraft servers from DDoS and other attacks.

Krebs has identified a number of companies that he believes were run by members of the Lelddos gang, which launched DDoS attacks against a number of Minecraft servers in 2015 and 2016. These might comprise all-out attacks, but equally might be on-off attacks that take the servers down for 20 minutes or so at a time, intended to harass customers into moving.

The same people, believes Krebs, were also behind the widely reported DDoS attack on French web hosting company OVH. Again, the aim was to take down Minecraft servers hosted by OVH.

For Krebs, finding out who the author(s) of the malware was had become somewhat personal: his own website was knocked offline in a number of massive distributed denial of service attacks from one of the botnets that turned out to be a precursor to Mirai.

"The first clues to Anna Senpai's identity didn't become clear until I understood that Mirai was just the latest incarnation of an IoT botnet family that has been in development and relatively broad use for nearly three years," Krebs wrote.

According to Krebs, Mirai and its precursors infect systems in a similar way to other well-known internet worms.

Krebs suggests that a 17-year-old who was the sole proprietor and employee of a DDoS protection company called Datawagon was connected to another company running a Minecraft server, which benefited from a DDoS attack on its local rival - ProxyPipe.

Krebs claims that the attack on ProxyPipe bore many similarities to the attack on his own website, including the contact over Skype first from the individual behind Datawagon, which Krebs has linked to other DDoS attacks, and the use of an exploit to cripple Skype accounts.

Skype is widely used by companies hosting Minecraft servers to provide support. Hence, crippling their Skype accounts while conducting a DDoS attack means that they don't even have a means of communicating with their customers.

However, ProxyPipe identified strong similarities between some of the code in Mirai and code uploaded to another Github account that enabled Coelho and Krebs to make a connection.

Between them, they identified a company called ProTraf, whose president and pretty much only employee was coder called Paras Jha - who Coelho had worked with in the past on a number of occasions.

"After months of gathering information about the apparent authors of Mirai, I heard from Ammar Zuberi, once a co-worker of ProTraf President Paras Jha.

"Zuberi told KrebsOnSecurity that Jha admitted he was responsible for both Mirai and the Rutgers DDoS attacks. Zuberi said when he visited Jha at his Rutgers University dorm in October 2015, Paras bragged to him about launching the DDoS attacks against Rutgers.

"‘He was laughing and bragging about how he was going to get a security guy at the school fired, and how they raised school fees because of him'," Zuberi recalled. ‘He didn't really say why he did it, but I think he was just sort of experimenting with how far he could go with these attacks.'

"Zuberi said he didn't realise how far Jha had gone with his DDoS attacks until he confronted him about it late last year," writes Krebs.

Zuberi went on to ask Jha straight-out whether he was behind Mirai. "‘He smiled and said yep,' Zuberi recalled. ‘Then he told me he'd recently heard from an FBI agent who was investigating Mirai, and he showed me some text messages between him and the agent. He was pretty proud of himself, and was bragging that he led the FBI on a wild goose chase'," Krebs writes.

The Mirai botnet exploits catastrophic insecurities in a wide range of devices that have unwisely been designed to be connected to the internet. They include, in particular, cheap home security camera systems that are run from a single digital video recorder running Linux.

Users are able to log-in to the devices over the internet in order to observe the feeds from the camera. However, the security on these devices is almost non-existent, the software dated and updates rare.

Jha, Rutgers University and the FBI have yet to comment on the claims.