Researcher IDs Author of Massive Mirai Botnet Code

snagfilms-a.akamaihd.nethot-spots-cyber-241f9dfa3ac8ad2c16595dfcb38c2a29ec97f940-1.jpg

Photo Credit: Vicente Barcel

In what must be a somewhat gratifying act of revenge, cybersecurity researcher Brian Krebs identified the real-life identity of the author of the infamous Mirai code, who went by the name Anna-Senpai. In a lengthy piece on his blog, KrebsOnSecurity, Krebs unpacks how he discovered the author of the code, as well as at least one co-conspirator, in what was linked to a string of high profile distributed denial of service (DDoS) attacks.

Krebs’ research — which he said took hundreds of hours and was slightly personal as his own website was felled by the malicious code in 2016 — took him back to 2014, when a group of “internet hooligans operating under the banner of ‘lelddos’” used the code to take servers hosting the popular game Minecraft offline.

Following the September 2016 Mirai attack on Krebs’ website, many sources specializing in lurking on cybercrime forums indicated the principal author of code linked in previous attacks was a 19-year-old named Josiah White who worked for a company called ProTraf.

Krebs wrote that ProTraf only had one other employee: Its 20-year-old president named Paras Jha, whose LinkedIn page showed he had extensive experiences running Minecraft services.

“After first reading Jha’s LinkedIn resume, I was haunted by the nagging feeling that I’d seen this rather unique combination of computer language skills somewhere else online,” Krebs wrote. “Then it dawned on me: The mix of programming skills that Jha listed in his LinkedIn profile is remarkably similar to the skills listed on Hackforums by none other than Mirai’s author — Anna-Senpai.”

Posts on online forums showed Jha and Ann-Senpai had the exact same programming skills.

Krebs was also pointed to an acquaintance who noticed code in Mirai looked similar to code on a GitHub account under the handle “Dreadiscool,” which Krebs discovered was associated with Jha.

Following several months of research, Krebs said he heard from a former co-worker of Jha at ProTraf. The co-worker told Krebs Jha had admitted he was responsible for Mirai attacks and White developed code used to infect new devices with Mirai written in C, a language that White evidently excelled at.

Read the full (lengthy) account on Krebs’ blog.