School of Arts and Sciences student also wrote powerful Mirai botnet, Krebs says
Over the course of two years, Rutgers University suffered from nearly a dozen Distributed Denial of Service (DDoS) attacks, which disrupted access to web services like Sakai, disabled internet access for anyone on campus and virtually crippled the school’s network infrastructure.
Last week, cybersecurity reporter Brian Krebs alleged that School of Arts and Sciences junior Paras Jha was the perpetrator of these DDoS attacks.
Krebs said Jha is also the author of the Mirai botnet, which disabled websites and internet access around the world last year, and alleged that he is known online as “Anna-senpai,” who committed dozens of DDoS attacks internationally.
Robert Coelho, vice president of DDoS mitigation company ProxyPipe Inc., confirmed that Jha is either Anna-senpai or is close to the coder.
“Paras Jha is Anna-senpai. It is him or someone very, very close to him,” he told The Daily Targum in an email. “The idea … was presented by me to the FBI, who had the exact same suspicion. I told them some history and everything I knew, and they began their own investigation. I also confirmed it with Krebs. This was a few months ago.”
Krebs first began investigating the Mirai botnet after his website was taken down by a massive DDoS attack, he said in his article. He noted similarities between the code composing Mirai and other types of malware he had seen previously.
The use of these other botnets connected him with Coelho.
A conversation with Coelho pointed him toward the theft of IP addresses from ProxyPipe by a cloud hosting company called FastReturn.
This attack led Krebs to a programmer named Ammar Zuberi, the former owner of FastReturn. Zuberi left FastReturn to work for ProTraf Solutions, which Jha’s LinkedIn page says he is the president of. The only other employee ProTraf has is Josiah White, a known programmer and suspected malware author.
In an interview with Krebs, Zuberi identified Jha as both Anna-senpai and “ogexfocus,” also known as “exfocus,” who claimed responsibility for the Rutgers attacks through Twitter and Reddit.
“Zuberi said when he visited Jha at his Rutgers University dorm in October 2015, Paras bragged to him about launching the DDoS attacks against Rutgers,” according to Krebs’ article.
What happened at Rutgers?
Rutgers University was hit by nearly a dozen Distributed Denial of Service (DDoS) attacks over the course of two years, beginning in the Fall 2014 semester. The most recent attack took place during the first day of the Fall 2016 semester.
These attacks both prevented access to University websites and services from off-campus networks and degraded internet access to students, faculty and staff using RUWireless, Wireless Secure or ResNet.
They ranged from only lasting a few hours to impacting the school for days at a time. The Department of Homeland Security and the FBI were both investigating the outages and their cause as of September 2015.
A DDoS attack cripples network infrastructure by overloading it with requests. Under normal circumstances, University servers expect to receive and respond to a given number of requests, but a Denial of Service attack can overwhelm these servers by sending many times the expected number.
In simpler terms, a DDoS attack is equivalent to the entire Scarlet Knights football team simultaneously tackling someone who was only expecting a handshake.
Rutgers hired several mitigation companies to protect its servers in 2015, including Level 3 Network Security Services and FishNet Security, after the first five attacks.
The attacks did not stop that year, though there were only three more disruptions that year, and only one in 2016.
“Even if it wasn’t (Jha’s) decision to attack Rutgers, it would have been very easy for his friends around him to peer pressure him into doing it, particularly (Josiah White),” Coelho said. “(White) comes across in a very innocent light from Krebs’ article likely due to his cooperation, but he was also instrumental to Mirai, and it’s possible Anna was both of them.”
DDoS and DoS attacks are different from hacks, both in their execution and their goals. Denial of Service attacks seek to disrupt, while hacks aim to steal information.
No private information was at risk during the Rutgers DDoS attacks.
What is Mirai?
The Internet of Things refers to smart objects that people own, like webcams or routers, which have an internet connection but are not personal computers. In recent years, programmers have developed methods to hijack these devices, forcing them to participate in DDoS attacks.
The Mirai botnet is the most advanced form of malware to hit the internet recently. The source code for the botnet was released to the general internet a few months ago.
Black hat — or malicious — programmers can use the Mirai framework to enslave tens of thousands of devices for use in a DDoS attack, making them more difficult to fight than traditionally enslaved computers.
Incapsula, one of the companies Rutgers hired to help mitigate its DDoS attacks, analyzed the Mirai source code after it was released to the public and created a list of characteristics its creator may have.
Certain aspects of Mirai’s source code — specifically, a list of IP addresses the bots cannot touch — indicate that the author of the code was “fairly naïve,” according to Incapsula’s article. The list, while it seems designed to avoid attracting undue attention from law enforcement authorities, also seems unprofessional.
“Together these paint a picture of a skilled, yet not particularly experienced coder who might be a bit over his head. That is unless some IP ranges were cleared off the code before it was released,” Incapsula said.
The article went on to suggest that a team of Russian programmers could also be responsible for creating Mirai, due to the existence of some Russian notes.
Coelho said Jha has the necessary skills to create Mirai.
“Jha has the technical knowledge to not only program but also operate a botnet as large as Mirai. He’s not technically inept — he’s not just a kid — he has in excess the programming and computer networking knowledge of someone with their master’s,” he said.
The Incapsula article points out that Golang, a programming language, was used to write the part of Mirai that controls how it is used. The bots themselves were written using C.
Mirai was likely used in some of the most powerful cyber attacks of 2016.
What evidence does Krebs present?
Krebs said in his article that he spent several months investigating the identity of Anna-senpai after his site was attacked. He began by looking into Mirai and connecting the botnet with previous iterations that had been used before.
His site was attacked by many of these iterations, he said.
He traced one of Mirai’s forefathers to an internet gang known as “lelddos,” which frequently attacked Minecraft servers.
Minecraft servers are popular DDoS targets, he said. Operational servers can make their owner thousands of dollars per day, while servers which are knocked offline by an attack lose customers.
As a result, there is an industry built around protecting Minecraft servers by mitigating DDoS attacks. ProxyPipe Inc. is one such company aimed at protecting Minecraft servers.
Coelho said the company is more involved with Minecraft than possibly any other organization.
In Krebs’ article, Coelho connected lelddos to ProTraf by recognizing certain patterns in an attack against ProxyPipe. Zuberi was later able to confirm this connection, telling Krebs that both Jha and co-owner Josiah White were part of the internet gang.
Krebs spoke to White, who admitted to writing parts of the Mirai forefathers that attacked Krebs’ site.
From White, Krebs discovered Jha’s LinkedIn page, where he found that Jha’s listed qualifications match a list of qualifications posted by Anna-senpai on an internet forum. Further digging turned up several alternate usernames Jha uses.
He also found that Jha used to run Minecraft servers, but later switched to protecting them from DDoS attacks.
Jha has the technical knowledge to have launched the DDoS attacks in question, Coelho told The Daily Targum. He worked on a few projects with Jha briefly between three and four years ago.
“We would work on specific projects with each other, but I don’t remember ever finishing any of them,” he said. “The reason Mirai uses (Golang), actually, is likely because I introduced him to the language a long time ago when I made a project.”
Coelho said he lost contact with Jha several years ago.
In Krebs’ article, Coelho said a business partner noticed that some of the code which composes the Mirai botnet shared traits with the code posted by another of Jha’s usernames. This eventually led Coelho to independently determine that Jha was Mirai’s author — Anna-senpai.
Both Krebs and Coelho worked with the FBI in determining Anna-senpai’s identity, Coelho told The Daily Targum.
“The FBI came to the conclusion that it was (Jha) even without us confirming it,” he said. “The FBI collaborated with us to come to conclusions and shared their findings with us. It was great to work with them on this.”
Coelho said he was unaware of the depth of Krebs’ investigation until he read the full article, but that the conclusions Krebs reached were logical.
“There are no leaps, everything is relevant, and the fact he was able to get this much information is mind-blowing,” he said.
One of the interesting aspects of Krebs’ article comes from the association between Mirai and Minecraft, he said.
“The landscape is very different than people think,” he said. “The actors are very different as well. All this time, the largest attacks the internet has ever seen were just centered around Minecraft servers. It’s crazy to think about.”
A lawyer for Jha’s family could not be immediately reached for comment. He told NJ Advance Media that Krebs’ article made “lots of leaps of logic,” and that Jha was not Anna-senpai.
Jha’s father also said his son was innocent in the NJ Advance Media article.
The FBI refused to confirm or deny the existence of their investigation. Jha did not respond to a request for comment. The Rutgers Office of Information Technology declined to comment.
A University spokesperson said, “We continue to cooperate with law enforcement authorities in connection with the ongoing investigation of the DDoS attacks. We have no further comment as the matter is under investigation.”