Two co-founders of a DDoS mitigation firm in the New York City area and another accomplice have pleaded guilty to their role in creating and using the Mirai botnet to launch massive distributed denial-of-service attacks on several large Internet companies in 2016.
Paras Jha, 21 of Fanwood, NJ, Josiah White, 20, of Washington, Pennsylvania, and Dalton Norman, 21, of Metairie, Louisiana, each face up to five years in prison and $250,000 in fines when they come up for sentencing next year.
Jha and Norman have also pleaded guilty to renting out the botnet to other cybercriminals for click-fraud purposes- another crime with a potential five-year sentence and $250,000 fine. The three plea agreements were entered in the US District Court for the District of Alaska Dec. 8 and unsealed Wednesday.
Separately, Jha on Dec. 13 also pleaded guilty in a Trenton federal court to repeatedly crashing the computer network at Rutgers University between 2014 and 2016 while he was computer science major there. Jha, who is out an a $25,000 bond, faces up to 10 years in prison for his attacks on Rutgers, but will likely get less under the terms of his plea agreement.
Raj Samani, chief scientist at McAfee, says developments like this week's plea agreements are important to fighting cybercrime. "Actions such as these send a clear message, whether you are carrying out the campaigns or enabling such activities that there is no such thing as zero risk," he says.
McAfee recently polled ransomware developers on why they were involved in the activity and many saw it as a high-reward, low-risk activity, Samani says. "The growth in the as-a-service economy is one of the main motivating factors on the increase of attacks, and this recent news sends a clear message."
The Mirai botnet was the first large-scale DDoS attack network comprised almost entirely of infected Internet of Things (IoT) devices such as home routers and Web-connected security cameras and DVRs. Among other things, the malware was designed to conduct attacks against a target's entire range of IP addresses.
DDoS attacks that were launched with the Mirai botnet crippled or disrupted services at many large Internet companies in fall 2016. One of them, on Domain Name Services provider Dyn, affected multiple websites including those belonging to CNN, Twitter, Okta, Netfix, and Reddit. Some of the attacks generated DDoS traffic in excess of 1 Tbps, several magnitudes bigger than average DDoS attacks.
In their plea agreement, Jha and White - who operated a small DDoS mitigation firm called ProTraf Solutions – and Norman, admitted to developing the Mirai malware and using it to build a massive botnet of infected devices. During a period between July 2016 and late fall 2016, the Mirai co-authors scanned for and ultimately infected some 300,000 IoT devices worldwide, by exploiting previously known and unknown vulnerabilities in the products.
Between August and September last year, the trio then used the botnet to attack several websites and webhosting companies in the US and elsewhere and sought to profit from it by offering DDoS mitigation services to some of the victims.
Security blog KrebsOnSecurity, which was the first to identify Jha as being one of those potentially behind the attacks, described Jha and White as using the botnet to primarily target the operators of large online gaming servers to try and extort money from them. In addition to using the botnet themselves, the pair actively tried to lease the botnet out to other cybercriminals by among things, advertising it on underground forums.
Around Sept. 2016, Jha, White, and Norman released Mirai code into the open in an apparent attempt to create plausible deniability and then took steps to destroy all evidence of their connection to the malware. The public release of the malware online in turn resulted in the creation of several Mirai variants that were then used by others in separate attacks.
In addition to operating the botnet for DDoS purposes, Jha and Norman also sought to profit from Mirai in other ways. Between Dec. 2016 and February 2017, the two individuals infected some 100,000 IoT devices primarily in the US and used them for click fraud purposes. Basically, the two individuals used the infected devices to send high volumes of view requests to webpages with affiliate advertising content to make it appear like real users had clicked on the ads. Jha and Norman made the equivalent of some $180,000 in bitcoin from the click fraud.
Jha's attacks on Rutgers University's computer network, meanwhile, took place between Nov. 2014 and Sept. 2016, and appeared designed to create maximum disruption for the institution. Among other things, the attacks shut down the university's central authentication server and a portal for delivering assignments and assessments, sometimes for multi-day periods.
John Pescatore, director of emerging security threats at the SANS Institute, says that as with the real world, the real deterrent for cybercrime is the possibility of getting caught.
"Whether it is shoplifting, bank robbery, counterfeiting, or ransomware, if the probability of getting caught is seen to be real low, it doesn’t matter if the fine is $5 or $5 million," he says. "In cybercrime, it has been all too easy to get away with. Publicity over those getting caught is important and I think acts as more of a deterrent than does the size of the fine or jail sentence."