Three men have pleaded guilty for their role in creating, operating and selling access to the “Mirai botnet,” a massive army of compromised internet-connected devices used last year to launch numerous distributed denial of service attacks against hosting companies, social media platforms and other online businesses.
The defendants, Paras Jha, Josiah White and Dalton Norman, were each responsible for supporting an elaborate scheme that began with the creation of a scanning tool to find vulnerable devices connected to the internet, infect them with malware and then mobilize them into a cohesive botnet army capable of pushing excessive internet traffic onto a target in order to knock them offline. They guilty pleas were entered in a federal district court in Alaska, the Department of Justice said.
Distributed denial of service attacks typically function through a centralized platform or operator who controls infected computers which can be used to flood digital properties with artificially created internet traffic, thereby causing the targeted websites to malfunction and deny normal visitors.
Wednesday’s revelation shows that the trio considered Mirai, which is the name for both Jha’s personal botnet and the tool used to infect everything from internet-connected security cameras to DVRs, as a valuable business opportunity. Jha advertised and sold access to the Mirai botnet to other hackers, court documents show, while White helped set up servers, designed the scanner and managed the botnet.
Norman worked to develop new exploits and interacted with some customers to ensure Mirai continued to be effective, investigators found. Jha controlled one botnet that he used to extort several victims, demanding payment before ceasing an attack against one unnamed hosting company.
This particularly cybercrime business model meant that third parties could both rent botnets created by the defendants or acquire tools to do it themselves. More than an estimated 300,000 vulnerable devices were affected by Mirai over the last year.
While Mirai has now been publicly attributed to Jha, White and Norman, Mirai’s usage far exceeded three people.
Various buyers sought out Jha hoping to replicate his technique to amass their own botnet armies, court documents note. It’s not yet clear, for example, who was behind most high profile Mirai-linked attack against internet performance management company Dyn.
That DDoS attack caused major internet platforms and services — including Paypal, Reddit, and Twitter — to be unavailable for several hours on October 21, 2016.
The incident became a watershed moment in the broader security industry because the attack saw a historical amount of of internet traffic — 1.1Tbps worth — to bring down services.
In addition to constructing botnets and using them to launch DDoS attacks, Jha, White and Norman profited from click fraud activities. In this situation, the hackers directed infected computers to automatically click on ads, selling the mock traffic as a marketing vehicle to apparent online advertisers.
You can read each of the plea agreements below.