It was a hard story to miss last year: In France last September, the telecom provider OVH was hit by a distributed denial-of-service (DDoS) attack a hundred times larger than most of its kind. Then, on a Friday afternoon in October 2016, the internet slowed or stopped for nearly the entire eastern United States, as the tech company Dyn, a key part of the internet’s backbone, came under a crippling assault.
As the 2016 US presidential election drew near, fears began to mount that the so-called Mirai botnet might be the work of a nation-state practicing for an attack that would cripple the country as voters went to the polls. The truth, as made clear in that Alaskan courtroom Friday—and unsealed by the Justice Department on Wednesday—was even stranger: The brains behind Mirai were a 21-year-old Rutgers college student from suburban New Jersey and his two college-age friends from outside Pittsburgh and New Orleans. All three—Paras Jha, Josiah White, and Dalton Norman, respectively—admitted their role in creating and launching Mirai into the world.
Originally, prosecutors say, the defendants hadn’t intended to bring down the internet—they had been trying to gain an advantage in the computer game Minecraft. “They didn’t realize the power they were unleashing,” says FBI supervisory special agent Bill Walton. “This was the Manhattan Project.” Unraveling the whodunit of one of the internet’s biggest security scares of 2016 led the FBI through a strange journey into the underground DDoS market, the modern incarnation of an old neighborhood mafia-protection racket, where the very guys offering to help today might actually be the ones who attacked you yesterday.
Then, once the FBI unraveled the case, they discovered that the perpetrators had already moved onto a new scheme—inventing a business model for online crime no one had ever seen before, and pointing to a new, looming botnet threat on the horizon. The first rumors that something big was beginning to unfold online came in August 2016. At the time, FBI special agent Elliott Peterson was part of a multinational investigative team trying to zero in on two teens running a DDoS attack-for-hire service known as vDOS. It was a major investigation—or at least it seemed so at the time.
Yet as that case proceeded, the investigators and the small community of security engineers who protect against denial-of-service attacks began to hear rumblings about a new botnet, one that eventually made vDOS seem small. As Peterson and industry colleagues at companies like Cloudflare, Akamai, Flashpoint, Google, and Palo Alto Networks began to study the new malware, they realized they were looking at something entirely different from what they’d battled in the past. Whereas the vDOS botnet they’d been chasing was a variant of an older IoT zombie army—a 2014 botnet known as Qbot—this new botnet appeared to have been written from the ground up. And it was good.
“From the initial attacks, we realized this was something very different from your normal DDoS,” says Doug Klein, Peterson’s partner on the case. The new malware scanned the internet for dozens of different IoT devices that still used the manufacturers’ default security setting. Since most users rarely change default usernames or passwords, it quickly grew into a powerful assembly of weaponized electronics, almost all of which had been hijacked without their owners’ knowledge.
“The security industry was really not aware of this threat until about mid-September. Everyone was playing catch-up,” Peterson says. “It’s really powerful—they figured out how to stitch together multiple exploits with multiple processors. They crossed the artificial threshold of 100,000 bots that others had really struggled with.” It didn’t take long for the incident to go from vague rumblings to global red alert.
Mirai shocked the internet—and its own creators, according to the FBI—with its power as it grew. Researchers later determined that it infected nearly 65,000 devices in its first 20 hours, doubling in size every 76 minutes, and ultimately built a sustained strength of between 200,000 and 300,000 infections. “These kids are super smart, but they didn’t do anything high level—they just had a good idea,” the FBI’s Walton says. “It’s the most successful IoT botnet we’ve ever seen—and a sign that computer crime isn’t just about desktops anymore.”
Targeting cheap electronics with poor security, Mirai amassed much of its strength by infecting devices in Southeast Asia and South America; the four main countries with Mirai infections were Brazil, Colombia, Vietnam, and China, according to researchers. As a team of security professionals later concluded, dryly, “Some of the world’s top manufacturers of consumer electronics lacked sufficient security practices to mitigate threats like Mirai.”
At its peak, the self-replicating computer worm had enslaved some 600,000 devices around the world—which, combined with today’s high-speed broadband connections, allowed it to harness an unprecedented flood of network-clogging traffic against target websites. It proved particularly tough for companies to fight against and remediate, too, as the botnet used a variety of different nefarious traffic to overwhelm its target, attacking both servers and applications that ran on the servers, as well as even older techniques almost forgotten in modern DDoS attacks.
On September 19, 2016, the botnet was used to launch crushing DDoS attacks against French hosting provider OVH. Like any large hosting company, OVH regularly saw small-scale DDoS attacks—it noted later that it normally faces 1,200 a day—but the Mirai attack was unlike anything anyone on the internet had ever seen, the first thermonuclear bomb of the DDoS world, topping out at 1.1 terabits per second as more than 145,000 infected devices bombarded OVH with unwanted traffic. The company’s CTO tweeted about the attacks afterward to warn others of the looming threat.
Until then, a large DDoS attack was often considered to be 10 to 20 gigibits per second; vDOS had been overwhelming targets with attacks in the range of 50 Gbps. A follow-on Mirai attack against OVH hit around 901 Gbps. Mirai was particularly deadly, according to court documents, because it was able to target an entire range of IP addresses—not just one particular server or website—enabling it to crush a company’s entire network. “Mirai was an insane amount of firepower,” Peterson says. And no one had any idea yet who its creators were, or what they were trying to accomplish.
Through September, the inventors of Mirai tweaked their code—researchers were later able to assemble 24 iterations of the malware that appeared to be primarily the work of the three main defendants in the case—as the malware grew more sophisticated and virulent. They actively battled the hackers behind vDOS, fighting for control of IoT devices, and instituting kill procedures to wipe competing infections off compromised devices—natural selection playing out at internet speed. According to court documents, they also filed fraudulent abuse complaints with internet hosts associated with vDOS.
“They were trying to outmuscle each other. Mirai outperforms all of them,” Peterson says. “This crime was evolving through competition.” Whoever was behind Mirai even bragged about it on hacker bulletin boards; someone using the moniker Anna-senpai claimed to be the creator, and someone named ChickenMelon talked it up as well, hinting that their competitors might be using malware from the NSA.
Days after OVH, Mirai struck again, this time against a high-profile technology target: security reporter Brian Krebs. The botnot blasted Krebs’ website, Krebs on Security, knocking it offline for more than four days with an attack that peaked at 623 Gbps. The assault was so effective—and sustained—that Krebs’ longtime DDoS mitigation service, Akamai, one of the largest bandwidth providers on the internet, announced it was dropping Krebs’ site because it couldn’t bear the cost of defending against such a massive barrage. The Krebs attack, Akamai said, was twice the size of the largest attack it had ever seen before.
Whereas the OVH attack overseas had been an online curiosity, the Krebs attack quickly pushed the Mirai botnet to the FBI’s front burner, especially as it seemed likely that it was retribution for an article Krebs had published just days earlier about another DDoS-mitigation firm that appeared to be engaged in nefarious practices, hijacking web addresses that it believed were being controlled by the vDOS team.
“This is strange development—a journalist being silenced because someone has figured out a tool powerful enough to silence him,” Peterson says. “That was worrisome.” The IoT attacks began to make big headlines online and off; media reports and security experts speculated that Mirai might have the fingerprints of a looming attack on the internet’s core infrastructure.
“Someone has been probing the defenses of the companies that run critical pieces of the internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down,” wrote security expert Bruce Schneier in September 2016. “We don’t know who is doing this, but it feels like a large nation-state. China or Russia would be my first guesses.”
Behind the scenes, the FBI and industry researchers raced to unravel Mirai and zero in on its perpetrators. Network companies like Akamai created online honeypots, mimicking hackable devices, to observe how infected “zombie” devices communicated with Mirai’s command-and-control servers. As they began to study the attacks, they noticed that many of the Mirai assaults had appeared to target gaming servers. Peterson recalls asking, “Why are these Minecraft servers getting hit so often?”
The game, a three-dimensional sandbox with no particular goals, allows players to construct entire worlds by “mining” and building with cartoonish pixelated blocks. Its comparatively basic visual appeal—it has more in common with the first-generation videogames of the 1970s and 1980s than it does the polygon-intense lushness of Halo or Assassin’s Creed—belies a depth of imaginative exploration and experimentation that has propelled it to be the second-best-selling videogame ever, behind only Tetris. The game and its virtual worlds were acquired by Microsoft in 2014 as part of a deal worth nearly $2.5 billion, and it has spawned numerous fan sites, explanatory wikis, and YouTube tutorials—even a real-life collection of Minecraft-themed Lego bricks.
It has also become a lucrative platform for Minecraft entrepreneurs: Inside the game, individual hosted-servers allow users to link together in multiplayer mode, and as the game has grown, hosting those servers has turned into big business—players pay real money both to rent “space” in Minecraft as well as purchase in-game tools. Unlike many massive multiplayer games where every player experiences the game similarly, these individual servers are integral to the Minecraft experience, as each host can set different rules and install different plug-ins to subtly shape and personalize the user experience; a particular server, for instance, might not allow players to destroy one another’s creations.
As Peterson and Klein explored the Minecraft economy, interviewing server hosts and reviewing financial records, they came to realize how amazingly financially successful a well-run, popular Minecraft server could be. “I went into my boss’s office and said, ‘Am I crazy? It looks like people are making a ton of money,’” he recalls. “These people at the peak of summer were making $100,000 a month.”
The huge income from successful servers had also spawned a mini cottage industry of launching DDoS attacks on competitors’ servers, in an attempt to woo away players frustrated at a slow connection. (There are even YouTube tutorials specifically aimed at teaching Minecraft DDoS, and free DDoS tools available at Github.) Similarly, Minecraft DDoS-mitigation services have sprung up as a way to protect a host’s server investment. The digital arms race in DDoS is inexorably linked to Minecraft, Klein says.
“We see so many attacks on Minecraft. I’d be more surprised sometimes if I didn’t see a Minecraft connection in a DDoS case,” he says. “You look at the servers—those guys are making huge money, so it’s in my benefit to knock your server offline and steal your customers. The vast majority of these Minecraft servers are being run by kids—you don’t necessarily have the astute business judgment in the quote-unquote ‘executives’ running these servers.”
As it turned out, French internet host OVH was well-known for offering a service called VAC, one of the industry’s top Minecraft DDoS-mitigation tools. The Mirai authors attacked it not as part of some grand nation-state plot but rather to undermine the protection it offered key Minecraft servers. “For a while, OVH was too much, but then they figured out how to even beat OVH,” Peterson says.
This was something new. Whereas gamers had become familiar with one-off DDoS attacks by booter services, the idea of DDoS as a business model for server hosts was startling. “This was a calculated business decision to shut down a competitor,” Peterson says. “They just got greedy—they thought, ‘If we can knock off our competitors, we can corner the market on both servers and mitigation,’” Walton says.
In fact, according to court documents, the primary driver behind the original creation of Mirai was creating “a weapon capable of initiating powerful denial-of-service attacks against business competitors and others against whom White and his coconspirators held grudges.” Once investigators knew what to look for, they found Minecraft links all over Mirai: In an less-noticed attack just after the OVH incident, the botnet had targeted ProxyPipe.com, a company in San Francisco that specializes in protecting Minecraft servers from DDoS attacks.
“Mirai was originally developed to help them corner the Minecraft market, but then they realized what a powerful tool they built,” Walton says. “Then it just became a challenge for them to make it as large as possible.”
Read Full Story Here