Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/13/2017
04:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Former Rutgers Student, Two Others Plead Guilty to Operating Mirai Botnet

Trio faces up to five years in federal prison and fines of up to $250,000

Two co-founders of a DDoS mitigation firm in the New York City area and another accomplice have pleaded guilty to their role in creating and using the Mirai botnet to launch massive distributed denial-of-service attacks on several large Internet companies in 2016.

Paras Jha, 21 of Fanwood, NJ, Josiah White, 20, of Washington, Pennsylvania, and Dalton Norman, 21, of Metairie, Louisiana, each face up to five years in prison and $250,000 in fines when they come up for sentencing next year.

Jha and Norman have also pleaded guilty to renting out the botnet to other cybercriminals for click-fraud purposes- another crime with a potential five-year sentence and $250,000 fine. The three plea agreements were entered in the US District Court for the District of Alaska Dec. 8 and unsealed Wednesday.

Separately, Jha on Dec. 13 also pleaded guilty in a Trenton federal court to repeatedly crashing the computer network at Rutgers University between 2014 and 2016 while he was computer science major there. Jha, who is out an a $25,000 bond, faces up to 10 years in prison for his attacks on Rutgers, but will likely get less under the terms of his plea agreement.

Raj Samani, chief scientist at McAfee, says developments like this week's plea agreements are important to fighting cybercrime. "Actions such as these send a clear message, whether you are carrying out the campaigns or enabling such activities that there is no such thing as zero risk," he says.

McAfee recently polled ransomware developers on why they were involved in the activity and many saw it as a high-reward, low-risk activity, Samani says. "The growth in the as-a-service economy is one of the main motivating factors on the increase of attacks, and this recent news sends a clear message."

The Mirai botnet was the first large-scale DDoS attack network comprised almost entirely of infected Internet of Things (IoT) devices such as home routers and Web-connected security cameras and DVRs. Among other things, the malware was designed to conduct attacks against a target's entire range of IP addresses.

DDoS attacks that were launched with the Mirai botnet crippled or disrupted services at many large Internet companies in fall 2016. One of them, on Domain Name Services provider Dyn, affected multiple websites including those belonging to CNN, Twitter, Okta, Netfix, and Reddit. Some of the attacks generated DDoS traffic in excess of 1 Tbps, several magnitudes bigger than average DDoS attacks.

In their plea agreement, Jha and White - who operated a small DDoS mitigation firm called ProTraf Solutions – and Norman, admitted to developing the Mirai malware and using it to build a massive botnet of infected devices. During a period between July 2016 and late fall 2016, the Mirai co-authors scanned for and ultimately infected some 300,000 IoT devices worldwide, by exploiting previously known and unknown vulnerabilities in the products.

Between August and September last year, the trio then used the botnet to attack several websites and webhosting companies in the US and elsewhere and sought to profit from it by offering DDoS mitigation services to some of the victims.

Security blog KrebsOnSecurity, which was the first to identify Jha as being one of those potentially behind the attacks, described Jha and White as using the botnet to primarily target the operators of large online gaming servers to try and extort money from them. In addition to using the botnet themselves, the pair actively tried to lease the botnet out to other cybercriminals by among things, advertising it on underground forums.

Cover-Up Attempt

Around Sept. 2016, Jha, White, and Norman released Mirai code into the open in an apparent attempt to create plausible deniability and then took steps to destroy all evidence of their connection to the malware. The public release of the malware online in turn resulted in the creation of several Mirai variants that were then used by others in separate attacks.

In addition to operating the botnet for DDoS purposes, Jha and Norman also sought to profit from Mirai in other ways. Between Dec. 2016 and February 2017, the two individuals infected some 100,000 IoT devices primarily in the US and used them for click fraud purposes. Basically, the two individuals used the infected devices to send high volumes of view requests to webpages with affiliate advertising content to make it appear like real users had clicked on the ads. Jha and Norman made the equivalent of some $180,000 in bitcoin from the click fraud.

Jha's attacks on Rutgers University's computer network, meanwhile, took place between Nov. 2014 and Sept. 2016, and appeared designed to create maximum disruption for the institution. Among other things, the attacks shut down the university's central authentication server and a portal for delivering assignments and assessments, sometimes for multi-day periods.

John Pescatore, director of emerging security threats at the SANS Institute, says that as with the real world, the real deterrent for cybercrime is the possibility of getting caught.

"Whether it is shoplifting, bank robbery, counterfeiting, or ransomware, if the probability of getting caught is seen to be real low, it doesn’t matter if the fine is $5 or $5 million," he says. "In cybercrime, it has been all too easy to get away with. Publicity over those getting caught is important and I think acts as more of a deterrent than does the size of the fine or jail sentence."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.
CVE-2019-19011
PUBLISHED: 2019-11-17
MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.