Mirai Worm Author Anna-Sempai Unmasked
Ashley Allen / 3 years ago
The Mirai botnet, which takes control of unsecured IoT devices to launch massive DDoS attacks, wreaked havoc last year after its developer, known only as Anna-Sempai, released the source code for the malicious software. One victim of Mirai was Krebs on Security, the blog run by security researcher Brian Krebs. Since that attack, Krebs spent months investigating Mirai and Anna-Sempai, and he believes he has discovered the true identity of this shadowy figure.
Krebs first traced Mirai back to “Internet hooligans” lelddos:
“Mirai’s ancestors had so many names because each name corresponded to a variant that included new improvements over time. In 2014, a group of Internet hooligans operating under the banner “lelddos” very publicly used the code to launch large, sustained attacks that knocked many Web sites offline.
The most frequent target of the lelddos gang were Web servers used to host Minecraft, a wildly popular computer game sold by Microsoft that can be played from any device and on any Internet connection.”
He then traced these attacks to ProTraf Solutions, a company that offered DDoS protection services:
“[Robert] Coelho [Vice President of ProxyPipe, a company that protects Minecraft servers from DDoS] recalled that in mid-2015 his company’s Minecraft customers began coming under attack from a botnet made up of IoT devices infected with Qbot. He said the attacks were directly preceded by a threat made by a then-17-year-old Christopher “CJ” Sculti, Jr., the owner and sole employee of a competing DDoS protection company called Datawagon.
Datawagon also courted Minecraft servers as customers, and its servers were hosted on Internet space claimed by yet another Minecraft-focused DDoS protection provider — ProTraf Solutions.”
Krebs discovered that ProTraf has just two employees, one of which is listed as its President, a 20-year-old man named Paras Jha:
“White’s employer ProTraf Solutions has only one other employee – 20-year-old President Paras Jha, from Fanwood, NJ. On his LinkedIn profile, Jha states that “Paras is a passionate entrepreneur driven by the want to create.” The profile continues:
Jha’s LinkedIn page also shows that he has extensive experience running Minecraft servers, and that for several years he worked for Minetime, one of the most popular Minecraft servers at the time.
After first reading Jha’s LinkedIn resume, I was haunted by the nagging feeling that I’d seen this rather unique combination of computer language skills somewhere else online. Then it dawned on me: The mix of programming skills that Jha listed in his LinkedIn profile is remarkably similar to the skills listed on Hackforums by none other than Mirai’s author — Anna-Senpai.”
Armed with only a hunch, Krebs dug for concrete evidence that Jha is, in fact, Anna-Sempai:
“It wasn’t until after I’d spoken with Jha’s business partner Josiah White that I began re-reading every one of Anna-Senpai’s several dozen posts to Hackforums. The one that made Jha’s programming skills seem familiar came on July 12, 2016 — a week after posting his “Killing All Telnets” discussion thread — when Anna-Senpai contributed to a Hackforums thread started by a hacker group calling itself “Nightmare.”
Such groups or hacker cliques are common on Hackforums, and forum members can apply for membership by stating their skills and answering a few questions. Anna-Senpai posted his application for membership into this thread among dozens of others, describing himself thusly:
Location and Languages Spoken: English
Which of the aforementioned categories describe you the best?: Programmer / Development
What do you Specialize in? (List only): Systems programming / general low level languages (C + ASM)
Why should we choose you over other applicants?: I have 8 years of development under my belt, and I’m very familiar with programming in a variety of languages, including ASM, C, Go, Java, C#, and PHP. I like to use this knowledge for personal gain.”
The Hackforums post shows Jha and Anna-Senpai have the exact same programming skills. Additionally, according to an analysis of Mirai by security firm Incapsula, the malicious software used to control a botnet powered by Mirai is coded in Go (a.k.a. “Golang”), a somewhat esoteric programming language developed by Google in 2007 that saw a surge in popularity in 2016. Incapsula also said the malcode that gets installed on IoT bots is coded in C.”
The post on Krebs on Security is long – evidence of his “thousands of hours” of investigation – but fascinating. The lengths Krebs went to, though, highlights just how difficult it is to uncover those responsible for malicious online attacks.
“If you’ve ever wondered why it seems that so few internet criminals are brought to justice, I can tell you that the sheer amount of persistence and investigative resources required to piece together who’s done what to whom (and why) in the online era is tremendous,” Krebs laments.