Three men have pleaded guilty to building and running the Mirai botnet that was used to take down large swaths of the internet last year. Federal indictments unsealed this week reveal Paras Jha pleaded guilty to six charges related to creating and operating Mirai in the US District Court for Alaska on November 28. Along with Jha, Dalton Norman and Josiah White have also agreed to plead guilty to using the Mirai botnet for criminal purposes.
Jha is a 21-years-old Rutgers University computer science student from New Jersey. His co-conspirator, White, is a 20-years-old from Washington, Pennsylvania. Both of them ran a company that advertised itself to help companies to secure against DDoS attacks. Jha was first identified as a likely suspect by Brian Krebs, a well known security researcher and journalist. He and White are likely the authors of Mirai malware that has since been used by other criminals as well to enslave Internet of Things for use in large scale DDoS attacks.
Mirai malware that was used by Jha and White to enslave hundreds of thousands of devices was used last year to disrupt access to much of the web. Jha has said that they infected more than 300,000 devices to use them to carry out distributed denial of service (DDoS) attacks and other criminal activities. According to reports, using their company, the two would first launch DDoS attacks against their targets and then either extort money or sell their services to help victims stay safe against these attacks.
Mirai Botnet wasn't only used to take down major sites
The creators of Mirai have also pleaded guilty to charges of using their botnet to conduct click fraud, that is expected to cost advertisers over $16 billion this year. Krebs wrote that the culprits "leased access to their botnet for the purposes of earning fraudulent advertising revenue through click fraud activity and renting out their botnet to other cybercriminals."
As part of this scheme, victim devices were used to transmit high volumes of requests to view web addresses associated with affiliate advertising content. Because the victim activity resembled legitimate views of these websites, the activity generated fraudulent profits through the sites hosting the advertising content, at the expense of online advertising companies.
In July 2016, Jha first wrote Mirai's code, before working with White to use it to flood targets with internet traffic. White had also added scanning functionality to the code in August that allowed the malware to identify more vulnerable devices to infect. Then later in the year, Norman had helped the two to expand the size of their botnet by exploiting even more vulnerabilities in the IoT devices.
Later in the year, Jha posted Mirai's code online to avoid law enforcement by creating plausible deniability. The malware, once online, was used by criminals in a plethora of attacks, including the attack on Dyn that took down several sites, including Netflix, twitter, Amazon, and others. According to the indictment, the trio wasn't itself responsible for Dyn attack. However, since this release, multiple copycat botnets have appeared with attacks against ISPs in Germany and banks in several countries. [A British man was previously charged for launching Mirai based attack on the German telecom giant]
Jha , White and Norman have admitted to receiving nearly two hundred bitcoins as part of their click fraud scheme. Jha faces up to 10 years in jail with charges including attacks carried out against Rutgers University's internet network. Norman and White face up to five years in prison.