Considering that Brian Krebs, who runs KrebsOnSecurity, was directly affected by Mirai (and lost his cloud service provider, Akamai, as a result), it’s almost poetic that he is the one that has seemingly uncovered the originator of the malware. A person using the alias Anna Senpai released the source code to Mirai in October, and through the use of that code and some Inspector Gadget-level sleuthing, Krebs weaves an exhaustive story (8,000+ words) of Mirai’s origins and what the motivations were behind its use.
The origins of Mirai date back a few years to botnets that were used to attack Minecraft servers. More specifically, companies would hire Anna Senpai to unleash a DDoS attack on their competitors that provided security services for Minecraft servers, causing them to lose potentially thousands of dollars per day from irate customers. Of course, if your security provider is costing your money, you’d obviously look to jump ship to someone that could provide adequate protection. And then that’s where the security companies that hired Anna Senpai would swoop in to save the day.
“The Minecraft industry is so competitive,” said Robert Coelho, VP for ProxyPipe. ProxyPipe provides security for Minecraft servers and was the target of a 300 gigabit per second DDoS attack in 2014 by hacker gang Lelddos. “If you’re a player, and your favorite Minecraft server gets knocked offline, you can switch to another server. But for the server operators, it’s all about maximizing the number of players and running a large, powerful server. The more players you can hold on the server, the more money you make. But if you go down, you start to lose Minecraft players very fast — maybe for good.”
But as Krebs dug deeper, he began to come closer to finding out the identity of Anna Senpai. "The first clues to Anna Senpai's identity didn't become clear until I understood that Mirai was just the latest incarnation of an IoT botnet family that has been in development and relatively broad use for nearly three years," wrote Krebs. After determining that the attack on his site bore a strong resemblance to the attack on PoxyPipe, he was lead to a company called ProTraf, which was helmed by coder Paras Jha.
"After months of gathering information about the apparent authors of Mirai, I heard from Ammar Zuberi, once a co-worker of ProTraf President Paras Jha,” said Krebs. "Zuberi told KrebsOnSecurity that Jha admitted he was responsible for both Mirai and the Rutgers DDoS attacks. Zuberi said when he visited Jha at his Rutgers University dorm in October 2015, Paras bragged to him about launching the DDoS attacks against Rutgers.”
Jha, a student at Rutgers University, is allegedly responsible for over half a dozen DDoS attacks that crippled the school’s networks during the fall of 2015.
“He was laughing and bragging about how he was going to get a security guy at the school fired, and how they raised school fees because of him,” Zuberi explained. “He didn’t really say why he did it, but I think he was just sort of experimenting with how far he could go with these attacks.”
But how exactly does all of this relate to the attack on KrebsOnSecurity? Apparently, it was retaliation for Krebs’ outing of two hackers behind the Israeli vDOS DDoS attack service, both of which were arrested. It was then that Paras Jha, aka Anna Senpai, was paid to carry out the massive Mirai DDoS attack in retaliation.