How Three Teens Created a Botnet That Could Shut Down the Internet
College freshmen may be rightfully annoyed that they don't get to take popular electives. But most of the time they just grumble. Paras Jha was an exception. Angered that seniors were given priority in choosing a computer science course in Rutgers Universitye, Paras decided to crash the registration website so that no one could sign up.
At exactly 10:00 PM on Wednesday, November 19, 2014, as freshmen registration for spring classes had just opened, Paras launched his first distributed denial-of-service (DDoS) attack. He assembled an army of roughly forty thousand bots, mostly from Eastern Europe and China, and directed them at Rutgers University’s central authentication server. The botnet sent thousands of fake authentication requests, overwhelming the server. Paras’s classmates were unable to break through the bots and register.
The following semester, Paras tried again. On March 4, 2015, he sent an email to the campus newspaper. The Daily Targum: “You had an article a while back about DDoS attacks on Rutgers University. I was the one attacking the network… I'm attacking the network again at 8:15 PM.” Paras carried out his threat, taking the Rutgers network offline at exactly 8:15 PM.
On March 27, Paras launched another attack on the university. The attack lasted four days and brought campus life to a standstill. Fifty thousand students, faculty, and other staff were unable to access campus computers.
On April 29, Paras posted a message on Pastebin — a website popular with hackers for its ability to send anonymous messages. “Rutgers’ IT department is a joke,” he scoffed. “This is the third time I’ve DDoS’d the university, and every time, their infrastructure gets crushed like an aluminum can underfoot.”
Paras was angry that the university chose a small firm to protect against DDoS Incapsulaa cybersecurity company. He claimed that the university had chosen the cheapest company. “Just to show you how terrible the quality of the Incapsula network is, I trashed Rutgers University’s network (and parts of Incapsula’s network) in the hopes that it would make you choose another company that knows what they’re doing.”
Paras' fourth attack on the university network, which occurred during final exams, caused chaos and panic on campus. Paras reveled in his ability to take a major public university offline, but his ultimate goal was to force the university to drop Incapsula's services. Paras had set up his own DDoS mitigation service called ProTraf Solutions and wanted the university to ditch Incapsula in favor of him. And he wasn't going to stop attacking the school until that happened.
A Hacker Raised by Minecraft
Paras Jha grew up in Fanwood, New Jersey. When Paras was in third grade, his teacher suggested he be tested for ADHD, but his parents ignored him.
As he continued his studies in primary school, his problems increased. Since his intelligence was obvious, teachers and parents attributed his mediocre results to laziness and apathy. Confused, his parents put more and more pressure on him.
– Paras found an outlet in computers. At the age of 12, he taught himself to code, and it captivated him. His parents happily accepted his passion, bought him a computer and provided unlimited access to the Internet. But their indulgence led to Paras becoming even more isolated: he spent all his time coding, playing games, and chatting with online friends.
Paras was especially captivated by the online game MinecraftIn the ninth grade, he switched from playing Minecraft to server hosting. That's when he first encountered DDoS attacks.
Server Administrators Minecraft often buy DDoS services to thwart competitors. While studying increasingly complex DDoS attacks, Paras also studied DDoS defense methods. Once he mastered server attack defense Minecraftthen decided to create ProTraf Solutions.
Paras' obsession with attack and defense Minecraft along with untreated ADHD, led to further isolation from his family and school. His poor performance in high school left him frustrated and depressed. His only solace came from anime and the respect of the online DDoS community Minecraft.
Paras' problems turned into complete helplessness when he entered Rutgers University to study computer science. Without his mother's help, he could not regulate his daily needs on his own. He could not plan his sleep, schedule, and study. In addition, Paras was very lonely. And he took up hacking.
Paras and his two hacker friends, Josiah White and Dalton Norman, decided to follow in the footsteps of the kings of DDoS – a group called VDoS. This group provided DDoS services to the entire world for four years, which in the cybercrime world is almost an eternity. The decision to take on experienced cybercriminals may seem bold, but in reality they were older than their opponents.
When the VDoS group began providing DDoS services from Israel in 2012, they were just 14 years old. 19-year-old American teenagers were going to fight 18-year-old Israeli teenagers. The war between the two teenage groups would not only change the nature of malware, their fight for dominance in cyberspace would lead to the creation of a doomsday machine.
The Mirai botnet, despite its destructive potential, was not the work of organized crime or a state-sponsored hacking group — it was created by three teenagers. They sold their botnet to buyers and used it for their own attacks. But the true scale of the danger only became apparent later, when the team published the source code for their malware.
Other developers have used it to cause even more damage: they took down Germany's largest ISP, attacked Dyn's DNS servers, stopped millions from using the Internet, and shut down the entire Internet in Liberia, to name just a few.
The Mirai botnet exploited vulnerable Internet of Things devices, such as web-connected Telnet-enabled video cameras. The owners of such devices rarely changed their passwords, so they could easily be brute-forced using a dictionary attack.
The first step in creating a botnet is to scan random IP addresses for vulnerable IoT devices whose passwords can be brute-forced. Once found, the addresses of such devices are passed to a “downloader” that writes malware to the vulnerable device. The infected devices, which are located all over the world, can then be used to perform distributed denial-of-service attacks, controlled by a command-and-control (C2) server. When the bots are not attacking a target, they can be used to scan for more vulnerable devices to infect.
Botnet Madness
Botnet malware is useful for financially motivated crime because bot operators can instruct their bots to plant malware on vulnerable machines, send phishing emails, and participate in fraudulent schemes where botnets make money when bots click on pay-per-click ads.
Botnets are also a great DDoS weapon because they can be given a target and attacked from all directions. For example, one February day in 2000, a hacker MafiaBoy disabled FIFA.com, Amazon.com, Dell, E-Trade, eBay, CNN And Yahoowhich at the time was the largest search engine on the Internet.
By taking down so many important websites, MafiaBoy became a national threat. President Clinton ordered a national manhunt for him. In April 2000, MafiaBoy was arrested and charged, and in January 2001, he was convicted of 58 counts of denial-of-service attacks. Law enforcement did not reveal MafiaBoy's true identity because this national threat was only 15 years old.
Both MafiaBoy and the VDoS team were teenagers hacking servers. But MafiaBoy did it for fun, and VDoS did it for money. These Israeli teenagers were pioneering entrepreneurs. They helped create a new kind of cybercrime: DDoS as a service. It made it possible for anyone to hack with a click of a mouse, without the need for technical knowledge.
You might be surprised to learn that DDoS service providers were able to advertise openly on the web. After all, DDoSing someone else's website is illegal in any country. To get around this restriction, these services (booter services) claimed to be performing a completely legal function: providing services to those who want to stress test their website.
In theory, these services do serve an important function. But only in theory. A booter service provider admitted to Cambridge University researchers: “We did try to market these services to a legitimate user base, but we knew where the real money was coming from.”
Botnets of August
Paras dropped out of Rutgers during his sophomore year and, on his father’s advice, spent the next year building his own DDoS-fighting business, ProTraf Solutions. Like a mafia don running a racket under the guise of “protection,” he needed a backup plan. After four DDoS attacks during his junior year, he attacked the school again in September 2015, still hoping that his former school would drop Incapsula. The school didn’t budge.
ProTraf Solutions was slowly sinking, and Paras needed money. In May 2016, Paras approached Josiah White. Like Paras, Josiah was a frequent visitor to hacker forums. When he was fifteen, he developed the core parts of Qbot — a botnet worm that peaked in 2014 and took over half a million computers. Now 18, Josiah switched sides and began fighting DDoS attacks with his friend Paras at ProTraf.
A hacker's command-and-control (C2) server directs the actions of multiple geographically distributed bots (computers under its control). These computers, which can be IoT devices like IP cameras, can be tricked into overloading the victim's servers with unwanted traffic, rendering them unable to respond to legitimate requests.
But Josiah soon returned to hacking and began working with Paras to improve Qbot; they created a larger, more powerful DDoS botnet. Paras and Josiah then teamed up with 19-year-old Dalton Norman. The trio became a well-oiled team: Dalton found vulnerabilities, Josiah rewrote the botnet malware to exploit them, and Paras wrote C2, the command-and-control server software that allowed the botnet to be controlled.
However, the trio had competition. Two other DDoS groups, Lizard Squad and VDoS, decided to team up to create a giant botnet. Their partnership, known as PoodleCorp, was a success. The amount of traffic that could be attacked by the PoodleCorp botnet set a record of 400 gigabits per second, almost four times what any other botnet before it could achieve.
They used their weapons to attack banks in Brazil and the US, government websites and servers. Minecraft. They got this power by hacking 1.3 thousand webcams connected to the web. Webcams usually have powerful processors and a fast communication channel, and they are rarely patched. Therefore, the botnet using the cameras had enormous firepower.
While PoodleCorp was growing, Paras, Josiah, and Dalton were working on a new weapon. By early August 2016, the trio had completed the first version of their botnet malware. Paras named the new code Mirai, after the anime series Mirai Nikki.
After Mirai was released, it spread like wildfire. In the first 20 hours, it infected 65,000 devices, doubling in size every 76 minutes. And Mirai had an unsuspecting ally in the botnet war that ensued.
In Anchorage, Alaska, the FBI's Cybersecurity Division opened a case on VDoS. The FBI was unaware of Mirai and its war on VDoS. The agents did not regularly read online resources like hacker forums. They did not know that the target of their investigation was already being destroyed. Nor did the FBI realize that Mirai was about to step into the void.
The leader of the Anchorage investigation was Special Agent Elliot Peterson, a former paratrooper, a quiet, confident agent with cropped red hair. At 33, Peterson had returned to his home state to fight cybercrime.
On September 8, 2016, the FBI's Anchorage and New Haven cybersecurity teams jointly executed a search warrant on the home of a PoodleCorp member from Connecticut who ran the C2 that controlled all of the group's botnets. That same day, Israeli police arrested the founders of VDoS. Suddenly, PoodleCorp ceased to exist.
The Mirai group waited a few days to assess the situation on the battlefield. As far as its members could tell, it was the only botnet left standing. And it was ready to use its new power. Mirai won the war because Israeli and American law enforcement arrested the PoodleCorp executives. But Mirai would have won anyway because it was ruthlessly effective at taking over Internet of Things devices and fighting off competing malware.
A few weeks after the arrests of the VDoS participants, Special Agent Peterson found a new target: the Mirai botnet. We don’t know what specific steps the team took to investigate Mirai; the court orders in the case are currently sealed. But from what has been made public, we know that Peterson’s team made its breakthrough the way it always did: with the help of a Mirai victim: cybersecurity researcher Brian Krebs, whose blog was DDoS'd by the Mirai botnet on September 25.
The FBI found the IP address of C2 and the malware-downloading servers, but did not know who opened the accounts. Peterson's team likely asked the hosting companies to provide the names, emails, cell phones, and payment methods of the account holders. With that information, they could have sought subpoenas and then search warrants to obtain the contents of the attackers' communications.
Still, hunting down the Mirai malware authors must have been difficult, given how clever these hackers are. For example, to avoid detection, Josiah didn't just use a VPN. He hacked into a French teenager's home computer and used it as an outgoing node. So the botnet received its orders from this computer. Unfortunately for the owner, he was a big anime fan and therefore matched the psychological profile of a hacker. The FBI and French police only discovered their mistake after breaking into the boy's home.
Fall
Having built up his strength over two months, Paras posted the nearly complete Mirai source code on hacker forums. “I made my money, there are too many eyes on IOT these days, so it’s time to get out,” Paras wrote. With the code released, Paras made it possible for anyone to create their own Mirai. And so it happened.
Releasing the code is an adventurous move, but not an unusual one. If the police find the source code on the hacker’s devices, he can claim he “downloaded it from the Internet.” Paras’s reckless release of the code was part of a stunt to evade the FBI, which was gathering evidence of Paras’s involvement in Mirai. Although he gave the agent a fictitious story, the FBI’s message probably terrified him.
Mirai has attracted interest from the cybersecurity and law enforcement communities. However, the publication Mirai's source code has attracted the attention of the United States. The first attack after publication occurred on October 21 and was carried out on Dyn — a Manchester, New Hampshire-based company that provides resolving services Domain Name System (DNS) of much of the East Coast of the United States.
It began at 7:07 a.m. ET with a series of 25-second attacks that are believed to be tests of the Dyn botnet and infrastructure. More sustained attacks followed: one hour, then five hours. Interestingly, Dyn wasn't the only target. Sony's video game infrastructure was also hit. PlayStation. Due to the intensity of the traffic, many other websites were also affected. Domains such as cnn.com, facebook.com And nytimes.com. For the vast majority of their users, the Internet was unavailable. At 19:00, another artillery barrage hit Dyn and PlayStation, this time at ten o'clock.
Upon further investigation, the target of the attacks was confirmed. Along with Dyn and PlayStation traffic, the botnet was attacking Xbox Live and Nuclear Fallout game servers. This was not a nation-state attempt to hack the US elections. Someone was trying to kick players off the game servers. Once again, as with MafiaBoy, VDoS, Paras, Dalton, and Josiah, the attacker was a teenager, this time a 15-year-old from Northern Ireland named Aaron Sterritt.
Meanwhile, the Mirai trio exited the DDoS business, as Paras had promised. However, Paras and Dalton did not stop cybercrime. They simply moved on to click fraud.
Click fraud was more profitable than running a booter service. Although Mirai was no longer as large as it once was, the botnet still generated a decent amount of advertising revenue. In one month, Paras and Dalton made as much from click fraud as they had made in their entire DDoS campaign. By January 2017, they had made over $180,000; they had only made $14,000 from DDoS.
If Paras and his friends had simply shut down their booter service and switched to click fraud, the world would likely have forgotten about them. But by publishing the Mirai code, Paras gave birth to copycats. Dyn became the first target for their attacks, and then many more followed. And because of the enormous damage caused by these copycats, law enforcement became very interested in the authors of Mirai.
Having gathered information linking Paras, Josiah, and Dalton to Mirai, the FBI brought them all to Alaska. Peterson's team showed the suspects the evidence and gave them a chance to help the investigation. Given the overwhelming evidence, they all agreed.
Paras Jha was indicted twice, once in New Jersey for the university attack, and once in Alaska for Mirai. Both charges were for violating the Computer Fraud and Abuse Act. Paras faced up to ten years in federal prison for his actions. Josiah and Dalton were only indicted in Alaska, so they each faced five years in prison.
The trio were found guilty. At their sentencing hearings in Anchorage on Sept. 18, 2018, each defendant expressed remorse for their actions. Josiah White’s attorney said he considered Mirai “a huge mistake.”
Unlike Josiah, Paras spoke directly to Judge Timothy Burgess in court. Paras began by taking full responsibility for his actions and expressing deep regret for the harm he had caused his family. He also apologized for the harm he had caused to companies and, in particular, to Rutgers, his faculty, and students.
The Justice Department made an unusual decision — it did not ask for prison time. In its order, the state noted “the discrepancy between the defendants’ online personas, who were high-profile, high-profile DDoS attackers, and their relatively mundane ‘real lives,’ where they were immature young adults living with their parents in relative obscurity.” The state recommended five years of probation and 2,500 hours of community service.
The state had another requirement: the community service “must include ongoing cooperation with the FBI in the areas of cybercrime and cybersecurity.” Even before their sentencing, Paras, Josiah, and Dalton had logged nearly 1,000 hours helping the FBI find and apprehend Mirai copycats. They contributed to more than a dozen cases. In one case, the trio helped stop a nationwide hacking ring. They also helped the FBI prevent DDoS attacks aimed at disrupting Christmas shopping. Judge Burgess accepted the state’s recommendations, and the trio avoided prison.
The most poignant part of the hearing came when Paras and Dalton expressed gratitude to each of the people who caught them. “Two years ago, when I met Special Agent Elliot Peterson, I was an arrogant fool who thought I was untouchable. The second time we met, he said something to me that I will never forget: 'You're already in a hole. It's time to stop digging.'” Paras concluded by thanking his family, friends, and Agent Peterson for helping him through it all.
More interesting and educational content in the Telegram channel — @secur_researcher
