Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/13/2017
04:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Former Rutgers Student, Two Others Plead Guilty to Operating Mirai Botnet

Trio faces up to five years in federal prison and fines of up to $250,000

Two co-founders of a DDoS mitigation firm in the New York City area and another accomplice have pleaded guilty to their role in creating and using the Mirai botnet to launch massive distributed denial-of-service attacks on several large Internet companies in 2016.

Paras Jha, 21 of Fanwood, NJ, Josiah White, 20, of Washington, Pennsylvania, and Dalton Norman, 21, of Metairie, Louisiana, each face up to five years in prison and $250,000 in fines when they come up for sentencing next year.

Jha and Norman have also pleaded guilty to renting out the botnet to other cybercriminals for click-fraud purposes- another crime with a potential five-year sentence and $250,000 fine. The three plea agreements were entered in the US District Court for the District of Alaska Dec. 8 and unsealed Wednesday.

Separately, Jha on Dec. 13 also pleaded guilty in a Trenton federal court to repeatedly crashing the computer network at Rutgers University between 2014 and 2016 while he was computer science major there. Jha, who is out an a $25,000 bond, faces up to 10 years in prison for his attacks on Rutgers, but will likely get less under the terms of his plea agreement.

Raj Samani, chief scientist at McAfee, says developments like this week's plea agreements are important to fighting cybercrime. "Actions such as these send a clear message, whether you are carrying out the campaigns or enabling such activities that there is no such thing as zero risk," he says.

McAfee recently polled ransomware developers on why they were involved in the activity and many saw it as a high-reward, low-risk activity, Samani says. "The growth in the as-a-service economy is one of the main motivating factors on the increase of attacks, and this recent news sends a clear message."

The Mirai botnet was the first large-scale DDoS attack network comprised almost entirely of infected Internet of Things (IoT) devices such as home routers and Web-connected security cameras and DVRs. Among other things, the malware was designed to conduct attacks against a target's entire range of IP addresses.

DDoS attacks that were launched with the Mirai botnet crippled or disrupted services at many large Internet companies in fall 2016. One of them, on Domain Name Services provider Dyn, affected multiple websites including those belonging to CNN, Twitter, Okta, Netfix, and Reddit. Some of the attacks generated DDoS traffic in excess of 1 Tbps, several magnitudes bigger than average DDoS attacks.

In their plea agreement, Jha and White - who operated a small DDoS mitigation firm called ProTraf Solutions – and Norman, admitted to developing the Mirai malware and using it to build a massive botnet of infected devices. During a period between July 2016 and late fall 2016, the Mirai co-authors scanned for and ultimately infected some 300,000 IoT devices worldwide, by exploiting previously known and unknown vulnerabilities in the products.

Between August and September last year, the trio then used the botnet to attack several websites and webhosting companies in the US and elsewhere and sought to profit from it by offering DDoS mitigation services to some of the victims.

Security blog KrebsOnSecurity, which was the first to identify Jha as being one of those potentially behind the attacks, described Jha and White as using the botnet to primarily target the operators of large online gaming servers to try and extort money from them. In addition to using the botnet themselves, the pair actively tried to lease the botnet out to other cybercriminals by among things, advertising it on underground forums.

Cover-Up Attempt

Around Sept. 2016, Jha, White, and Norman released Mirai code into the open in an apparent attempt to create plausible deniability and then took steps to destroy all evidence of their connection to the malware. The public release of the malware online in turn resulted in the creation of several Mirai variants that were then used by others in separate attacks.

In addition to operating the botnet for DDoS purposes, Jha and Norman also sought to profit from Mirai in other ways. Between Dec. 2016 and February 2017, the two individuals infected some 100,000 IoT devices primarily in the US and used them for click fraud purposes. Basically, the two individuals used the infected devices to send high volumes of view requests to webpages with affiliate advertising content to make it appear like real users had clicked on the ads. Jha and Norman made the equivalent of some $180,000 in bitcoin from the click fraud.

Jha's attacks on Rutgers University's computer network, meanwhile, took place between Nov. 2014 and Sept. 2016, and appeared designed to create maximum disruption for the institution. Among other things, the attacks shut down the university's central authentication server and a portal for delivering assignments and assessments, sometimes for multi-day periods.

John Pescatore, director of emerging security threats at the SANS Institute, says that as with the real world, the real deterrent for cybercrime is the possibility of getting caught.

"Whether it is shoplifting, bank robbery, counterfeiting, or ransomware, if the probability of getting caught is seen to be real low, it doesn’t matter if the fine is $5 or $5 million," he says. "In cybercrime, it has been all too easy to get away with. Publicity over those getting caught is important and I think acts as more of a deterrent than does the size of the fine or jail sentence."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7751
PUBLISHED: 2020-10-26
This affects all versions of package pathval.
CVE-2020-27678
PUBLISHED: 2020-10-26
An issue was discovered in illumos before 2020-10-22, as used in OmniOS before r151030by, r151032ay, and r151034y and SmartOS before 20201022. There is a buffer overflow in parse_user_name in lib/libpam/pam_framework.c.
CVE-2020-27388
PUBLISHED: 2020-10-23
Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel, Versions 1.5 - 1.7.10. An authenticated user must modify a PHP plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.