Details on the Mirai Botnet Authors

Brian Krebs has a long article on the Mirai botnet authors, who pled guilty.

Posted on December 20, 2017 at 6:10 AM • 20 Comments


Petre PeterDecember 20, 2017 10:15 AM

Remember! In order to make security work i have to know what makes technology work and what makes technology fail. Once i do, i should take the equivalent of the Hypocrates oath that i won’t use the knowledge as a vice. Bug bounty and bailouts are part of a vice that will add bug detectors to all restaurants and will make everyone guilty until proven innocent. “Sever, there is a bug in my food”. Let’s not bring back the depression era through depressed keyboards. A remote can be used for control or for an attack. I hope remote cache sites like Akamai do not get caught in the middle.

hmmDecember 20, 2017 1:19 PM

I love a happy ending.

I especially loved how Paras got caught cross-bragging on his anime fanboy forum account.

Brian deserves a standing ovation from the internet. Civil service award, something.

Deputize this man.

IggyDecember 20, 2017 3:01 PM

Kudos @brian krebs, yeoman's work worthy a royal reward.

Until we all use one code to uniformly raise good people by, we will be the feast they expend calories devising to consume as we pay their way.

WaelDecember 20, 2017 9:16 PM

@Brian Krebs,

Excellent. You could write a book ala 'The cuckoo's Egg' on the topic.: The Minecraft Gang: Tracking scumbags Through the Maze of Compromised IoT devices. Or something like that.

echoDecember 21, 2017 5:00 AM

It's interesting to note how communications channels can be overhwelmed and devices exploited and a data trail uncovered leading back to the perpetrators.

In the UK we very rearely get to read a story such as Brian Krebs tells. It's almost as if the UK has a law saying that individual heroes are a crime. I have pciked up from reading essays and watching Youtubes discussing the development of modern military strategies within an economic context and daresay the reasons are historical and cultural. Notably, fro reading brians article it seems the targets were also different? Consumer and commercial targets versus institutions and banking?

SteveDecember 21, 2017 8:28 AM

Of course, the real perps are still at large.

"Real perps?" you ask.

Yes, the perps that built the hardware and software with the gaping exploitable security holes which allowed this particular bit of idiocy to occur.

Some of you here might have been around long enough to remember the first Internet worm from 1988, the so-called "RTM Worm," a student hack that got out of hand, Sorcerer's Apprentice style. A Cornell grad student, Robert T Morris, was trying to map the Internet and let loose a self-replicating "worm" that exploited a few known bugs in the relatively small ecosystem of machines which comprised the Internet at the time, mostly Digital Equipment VAXes and some smallish Sun Microsystems desktop machines.

Morris was convicted of a felony for his screwup, though he didn't do any actual prison time, just probation, community service and a fine.

I've always felt that while Morris probably did deserve some punishment, the real culprits in the case were the Unix vendors who shipped a copy of sendmail with their distributions which contained a well known security bug.

Like homeowners who fail to fence in their swimming pools properly, those who knowingly sell or distribute such defective products, in my opinion, should be culpable for providing what's known in legal terms as an attractive nuisance.

Clive RobinsonDecember 21, 2017 9:57 AM

@ Steve,

Robert T Morris, was trying to map the Internet

Some of us were around at the time, and RTM is younger than our host. I don't think any of us believed the "map the Internet" story. Especially as he said something else at trial...

Yes RTM made a mistake in the design of the worm in that there was a forced reinfection 1 in 7 times irrespective of if a machine was infected or not. But those cleaning it up also made mistakes. If there had been a cordinated re-boot of infected machines it would have died on the spot. Likewise just an unplug from the Arpanet and a reboot of the vulnerable machines would likewise have cleaned it up fairly quickly and undramatically.

Though the real issue was and still is not fixing known weaknesses in standards, protocols and implementations. Supposadly out of fear of breaking existing systems. Well suprise suprise they get broken anyway, not doing anything just builds up massive almost existential amounts of technical debt...

We also knew who Robert's old man was and thus where the knowledge of the vulnerabilities "probably" came from indirectly...

However as Bob senior incorrectly remarked after the trial it was "not going to look good on his resume"... RTM is now a tenured Prof, and founder of one or two quite profitable ventures including Y-Combinator. At least his father lived long enough to see RTM become not just a respected individual, independently wealthy and a success in academia, so disproving his post trial words.

hmmDecember 21, 2017 12:54 PM

Steve that's akin to saying Henry Ford is culpable because someone stole your car and drove it into a ditch.

The internet is chock full of known flaws. Every electronic device has bugs ongoing.
Find one that doesn't and let's get it into the Guiness book.

SteveDecember 21, 2017 6:20 PM

@Clive Robinson: You may certainly be correct that the motivation was different than the Wikipedia article cites. If so, I stand corrected. I was around for the whole hoohah as a staffer at one of the NSF supercomputer centers at the time and I don't recall that defense being raised but I didn't pay an extremely close amount of attention the trial. For the record, I'm also older than RTM and probably older than our esteemed host, as well, as if that qualifies me in any substantive manner.

@hmm: Well, no. It's more like a bartender selling drinks to an already intoxicated patron and then having that patron get into a car and crash into a schoolbus. There's such a thing as contributory negligence.

There's a substantive difference between selling a product which later is found to have a defect and selling a product which is known to have a defect.

Just ask Ford Motor Company about the Pinto.

While a security bug in a webcam isn't the same as an exploding gas tank, eventually one of these known bugs is going to get someone. . . or a lot of someones killed.

65535December 21, 2017 8:56 PM

@ Brian Krebs

I was intrigued by your dedication to the Mirai worm and your unrelenting search for the malefactor. Your clues homed in on an profile of coding skills including C through C# Golang the Google language, java, php, x86, ASM JavaScript and CSS to html. I believe you actually successful ID’d para Jha. The authorities took it from there.

I will note Jha was fairly careful, tricky and ruthless. He used classic extortion techniques by playing both sides of DDOS game as a defender and as an attacker. You said it was like calling a fireman to put out a fire he had started.

Jha cleverly lead the FBI on a wild goose chase by releasing his own code to cover his tracks. He also made good money in the process – which will pay for his attorney’s fees.

In the end the third person Dalton Norman probably made at least as much money as Jha.

You were not clear as to who found all the hard coded credentials of those Iot devices and the internet facing telnet, ssh or other undocumented entrances in the Iot devices and accelerated the infection. Undocumented hard coded passwords are a big problem. Was it Josiah White?

I believe that if all undocumented hard coded credentials and front facing interfaces were clearly document the DDOS game would have been much smaller.

As for your dismay at the slap on the wrist that kid Chappell got don’t discount the money he had made to hire high powered defense attorneys. That can be a critical role is beating a rap. The UK is showing the hacking world that crime pays. That is a travesty. Keep up the great reporting.

hmmDecember 22, 2017 1:09 AM

" He used classic extortion techniques by playing both sides of DDOS game as a defender and as an attacker. "

You understand the US Republican tax policy vis a vis the deficit/debt...

Clive RobinsonDecember 22, 2017 1:57 AM

@ Steve,

For the record, I'm also older than RTM and probably older than our esteemed host, as well, as if that qualifies me in any substantive manner.

Welcome to the club there are a few of us "self confessed old timers" creaking around ;-)

I have a number of memories from the early "Hacking" events, and some I was not far from the epicenter of, but natural caution plus youthful paranoia kept me out of certain peoples clutches.

BT for instance tried to get me to "demonstate" to their "technical experts"... as I'd given fairly precise instructions I smelt a large rodent at work[1] so I basically sent a rude message back about their level of competence.

A little while later two people I knew quite well told me about others I knew less well but were on first names terms with who were going to report a failing in security by BT to BT via Micronet 800 and David Babski (who had tried to get me)[1]. They were invited to do a demonstration, I told then to stear well clear and why they basically down played my concern and decided to do the demo. I told my closer friends including abother journalist Dave Janda to "duck and run". Anyway the upshot is that Steve Gold (RIP) and Robert Schifreen got arrested for the demonstration on the BT Prestel Service (not an entirely different service BT Gold that I came close to having my collar felt for and most modern journalists and writers confuse). Eventually they cleared their names in part because as Robert was a journalist he got a lot of favourable reporting. I suspect I would not have been so lucky.

What BT Prestel did still supprises even today... In essence they wrote their software such that passwords were stored in plaintext on the host machine... But worse they also set up a "test server" (Pandora) for those developing "bulk update" software for the BBC Micro etc. The front page of Pandora gave you details of how to login as a system admin. Rather than make a "clean install" of Pandora they simply pulled and used a back up tape of an active customer server. Thus that plaintext pasword file became available to anyone who knew the publicized dial up number of Pandora.

[1] David Babski was actually a quite lothsum individual in many ways and his level of "office banter" and "horseplay" would get him star billing these days as a sex pest. Although the technology of the time was a bit flaky it almost always got worse when he touched it. But for someone who was supposed to have the "teen vibe" --in what would be later called the hacker community-- in the 1980's he was well of the mark and ridiculed and aped by most. His Secretary who was the girlfriend of a close friend often advised people not to turn their back on him or alow him to get between them and the door. Anyway if you search on line you can find refrences to some of his disasterous tech demos. One is,

Clive RobinsonDecember 22, 2017 10:40 AM

@ Steve,

One final thought: You can't spell "idiot" without "IoT."

You forgot the silent "collected" after ID ;-)

A Nonny BunnyJanuary 13, 2018 2:26 PM


Mr. Schneier, please, the past tense of plead is pleaded.
According to the dictionary both "pled" and "pleaded" are used.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.