Brian Krebs Uncovers Mirai Botnet Author

Really interesting investigative story.

Posted on January 18, 2017 at 5:06 PM • 19 Comments

Comments

DanielJanuary 18, 2017 6:22 PM

I have two ruminations to share after reading that article. The first is that I am more convinced than ever before that @Bruce's article "Data is a Toxic Asset, So why Not Throw it Out?" illuminates only half the problem. More and more I find myself asking the question: If data is a toxic asset, why create it in the first place? This is especially true when one is using any form of asynchronous communication such as e-mail, forums, blog posts, anything where information is stored by a third-party. Brian's job would have been much more difficult, if not impossible, if these blabber mouths had not posted on forums where their posts could be retrieved years later by a hostile party.

The second reflection is that it is difficult to play both defense and offense when it comes to computer security: those who are effective hackers seem to be remarkably bad at hiding their tracks. Maybe this is an effect of publicity where the individuals who are great at both offense and defense one never hears about. It is nevertheless striking that one of Brian's key pieces of evidence lies in the fact that the botnet author copied and pasted his unique set of programming languages from a publicly available on-line profile to a underworld forum. Avoiding this type of cross-contamination is basic op-sec.

In other words, just like the detectives involved in the Silk Road caper Brian deserves significant praise for his incisive and diligent detective work. At the same time, one has to wonder when cyber-criminals are going to stop being so stupid and to stop posting their shit all over the internet where everyone can find it?!

Just Passin' ThruJanuary 18, 2017 7:54 PM

I remember Bruce, a few months ago, reporting here that botnets were systematically probing for DDOS vulnerabities.

After reading Brian Krebs' account, I wonder if any of the Murai botnet's activities could have been interpreted as this probing.


At the end of the article, which included discussion discussion of SuperMicro hardware involvement in the botnet attacks, I thought it noteworthy when commenter Allan Jude noted:

SuperMicro is a manufacturer of servers, mostly motherboards. The flaw was in the BMC (Baseboard management controller), which is a system that allows administrators to remotely control servers when the OS is not working.

It is the basis of systems like Dell’s DRAC, and HP’s iLO. Allowing you to power cycle the server, access the control, etc.

Going back over the article, I found that Brian had included a link sourcing this BMC problem: http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/


The article is a good read; I'd recommend it.

EugeneJanuary 18, 2017 9:08 PM

Bruce, thank you for an amazing blog! One small point - it's "Mirai", not "Murai".

Jim KJanuary 18, 2017 9:24 PM

Daniel,
You know, most of the crims I have met were just not very bright. They were not capable of operating in normal society and ended up on the fringes.
If there were legal pathways to a good life, they would have taken them. That's no excuse, but there is a degree of selection bias.

Just Passin' ThruJanuary 19, 2017 12:05 AM

@Desmond Brennan

You are right about possible meat puppets. But I think that Ammar Zuberi is not going to be protected by the Dubai government, and has allegedly admitted to lying to the FBI. I'd bet his time as a free man is limited...

keinerJanuary 19, 2017 1:23 AM

@Eugene

It's a pattern, with these "typos". Just not to be found by search engines on this topic. Minimizes your risk surface ;-)

Clive RobinsonJanuary 19, 2017 1:38 AM

@ Daniel,

At the same time, one has to wonder when cyber-criminals are going to stop being so stupid and to stop posting their shit all over the internet where everyone can find it?!

It appears that over four out of five low end criminals who get their collars felt by the LEOs bragged loud enough to be "grassed up" by other criminals.

Also from the Kreb's article those involved are teenage males. Reading between the lines they are socialy inept and have at best a basic understanding of how the world works. They have a fragile ego issue and resent anyone who they feel do not give them "respect". Put simply they've not learnt to listen and show interest in others, so others tend to ignore them.

Some do learn to listen and learn and grow up quickly before they get into serious trouble, others just get lucky and don't make sufficient mistakes or noise to attract attention from the authorities.

The ones you don't see are those that don't do it for the ego / bragging, and keep their contact with others minimal and are sufficiently broad in outlook to realise how to keep below the grass line.

65535January 19, 2017 3:24 AM

These relatively young and belligerent guys and think they can be handed a get-of-Jail free card. They use “bullet proof hosters in non-Five eyes jurisdictions doing millions of dollars in damages yet they are in the USA and not sanctioned.

Supermicro’s undocumented backdoor – in plane text- in their Out-of-Band Management/Base Board controller is a kick in the crotch to those people who bought “Security” camera’s and other products for Security – which is not secure. That is a real knife in the back for these purchasers and the Mirai victims [and bystanders].

There are horribly loose rules regarding domain name registrars and the Internet Assigned Numbers Authorities… gag… choke in particular in the Mideast and East Asian countries. The domain names don't go to a real address in many cases.

To rub salt into the wound, Boarder Gateway Protocol is so flimsy it and of itself invites BGP hijacking. Some people say IP address not real but just “logical” which leads to their location in certain countries to be inaccurate. I am starting to think is the case.

https://en.wikipedia.org/wiki/BGP_hijacking

The IoT junk on the market is really that – junk. That stuff is a public nuisance/spy device/bit spewer which will take decades to clean up.

Last, if these 19 year old kids can does this type of damage imagine what a well funded state sponsored spy agency could do?

rJanuary 19, 2017 5:25 AM

@keiner,

Interesting supposition, likely a good defensive measure considering how the modern typos have reacted in recent history.

Dirk PraetJanuary 19, 2017 12:09 PM

Fascinating stuff, one of the more interesting takeaways being that the suspected botnet owner used both Gmail and Skype to communicate. Which begs the question: What was the FBI doing? Isn't this the exact sort of thing they get paid for? Or does it only become interesting when folks grow up and start crippling critical infrastructure instead of taking out universities, Minecraft servers and competitors?

And before anyone asks: yes, that's some pretty solid attribution here. Hat tip to Brian Krebs for some excellent investigative work.

BeefstrutsJanuary 19, 2017 2:11 PM

What's interesting to me as a curmudgeon is that bragging on forums gets punks caught more than any other single factor in this whole investigation.

rJanuary 19, 2017 5:32 PM

@Max,

But yet, we know the NSA and various terrorists cells survive within the confines of Second Life(?) right?

DroneJanuary 19, 2017 6:47 PM

If he keeps on outing 'em like this, Krebs best get himself a few Tachikoma for protection! Just make sure they're not connected to anything (including each other).

DroneJanuary 19, 2017 7:16 PM

@65535

"...if these 19 year old kids can does (sic) this type of damage imagine what a well funded state sponsored spy agency could do?"

Not much...

Considering that the "well funded state sponsored spy agency" with its billions of taxpayer dollars and thousands of taxpayer-funded employees couldn't find the Murai creator; but one taxpayer citizen-blogger could.

Please wake up...

The "well funded state sponsored spy agency" is not about protecting you - it is about controlling you.

CallMeLateForSupperJanuary 20, 2017 10:02 AM

@Drone
"Considering that the "well funded state sponsored spy agency" [...] couldn't find the Murai [sic] creator; but one taxpayer citizen-blogger could."

I think your "couldn't" should be "did not". The fact (as far as we know) that they did not does not prove that they could not. It is well known that state-sponsored intell. critters put a very low priority on keeping the public briefed on .... pretty much anything.

And your "could" should be "did".

AddendumJanuary 20, 2017 12:15 PM

@Dirk Praet

And before anyone asks: yes, that's some pretty solid attribution [of teenaged cutouts] here.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.