Dyns hackers formed a botnet from

Defendant Also Took Part in Creating Mirai and clickfraud Botnets, Infecting Hundreds of Thousands of Devices with Malicious Software

TRENTON, N.J. – A Union County, New Jersey, man was ordered today to pay $8.6 million in restitution and serve six months of home incarceration for launching a cyber-attack on the Rutgers University computer network, U.S. Attorney Craig Carpenito announced.

Paras Jha, 22, of Fanwood, New Jersey, previously pleaded guilty before U.S. District Judge Michael Shipp to violating the Computer Fraud & Abuse Act. Judge Shipp imposed the sentence today in Trenton federal court.

According to documents filed in this and other cases and statements made in court:

Between November 2014 and September 2016, Jha executed a series of “distributed denial of service” (DDOS) attacks on the networks of Rutgers University; these occur when multiple computers acting in unison flood the Internet connection of a targeted computer or computers. Jha’s attacks effectively shut down Rutgers University’s central authentication server, which maintained, among other things, the gateway portal through which staff, faculty, and students delivered assignments and assessments. At times, Jha succeeded in taking the portal offline for multiple consecutive periods, causing damage to Rutgers University, its faculty, and its students.

On Dec. 8, 2017, Jha, Josiah White, 21, of Washington, Pennsylvania, and Dalton Norman, 22, of Metairie, Louisiana, also pleaded guilty to criminal informations in the District of Alaska charging them each with conspiracy to violate the Computer Fraud & Abuse Act in operating the Mirai Botnet. In the summer and fall of 2016, White, Jha, and Norman created a powerful botnet – a collection of computers infected with malicious software and controlled as a group without the knowledge or permission of the computers’ owners. The Mirai Botnet, targeted “Internet of Things” devices – non-traditional computing devices that have been connected to the Internet, including wireless cameras, routers, and digital video recorders. The defendants attempted to discover both known and previously undisclosed vulnerabilities that allowed them to surreptitiously attain administrative or high-level access to victim devices for the purpose of forcing the devices to participate in the Mirai Botnet. At its peak, Mirai consisted of hundreds of thousands of compromised devices. The defendants used the botnet to conduct a number of other DDOS attacks. The defendants’ involvement with the original Mirai variant ended in the fall of 2016, when Jha posted the source code for Mirai on a criminal forum. Since then, other criminal actors have used Mirai variants in a variety of other attacks.

Jha and Norman also pleaded guilty to criminal informations in the District of Alaska charging each with conspiracy to violate the Computer Fraud & Abuse Act. From December 2016 to February 2017, the defendants successfully infected more than 100,000 primarily U.S.-based Internet-connected computing devices, such as home Internet routers, with malicious software. That malware caused the hijacked home Internet routers and other devices to form a powerful botnet.

The defendants then used the compromised devices as a network of proxies through which they routed Internet traffic. The victim devices were used primarily in advertising fraud, including “clickfraud,” a type of Internet-based scheme that utilizes “clicks,” or the accessing of URLs and similar web content, for the purpose of artificially generating revenue.

Judge Shipp also sentenced Jha to five years of supervised release and ordered him to perform 2,500 hours of community service.

On Sept. 18, 2018, all three defendants were sentenced in federal court in Alaska to serve a five-year period of probation, 2,500 hours of community service, ordered to pay restitution in the amount of $127,000, and have voluntarily abandoned significant amounts of cryptocurrency seized during the course of the investigation.

For additional information on cybersecurity best practices for IoT devices, please visit: https://www.justice.gov/criminal-ccips/page/file/984001/download .

All three cases were investigated by the FBI. The Rutgers University case is being prosecuted by Assistant U.S. Attorney Shana Chen of the District of New Jersey. The Mirai Botnet and Clickfraud Botnet cases are being prosecuted by Assistant U.S. Attorney Adam Alexander of the District of Alaska and Trial Attorney C. Alden Pelker of the Computer Crime and Intellectual Property Section of the Criminal Division.

Additional assistance was provided by the FBI Newark Cyber Task Force, Rutgers University Police Department, N.J. State Police, the Federal Protective Service, FBI’s New Orleans and Pittsburgh Field Offices, the U.S. Attorney’s Office for the Eastern District of Louisiana, the United Kingdom’s National Crime Agency, the French General Directorate for Internal Security, the National Cyber-Forensics & Training Alliance, Palo Alto Networks Unit 42, Google, Cloudflare, Coinbase, Flashpoint, Yahoo and Akamai.

Defense counsel: Robert Stahl Esq., Westfield, New Jersey

Perhaps the most striking point about last week’s huge DDoS attack, which took down more than 80 big websites and online services, is that the criminals behind the attack accomplished it not by particularly sophisticated or cutting-edge means, but by creating a veritable army of consumer connected devices — what we call the Internet of Things (IoT). In this post we explain the critical concepts and how this incident is connected with every one of us.

The attack

On October 21, lots of Americans woke up to find some of their most popular websites were unavailable. No watching Netflix, no transacting business through PayPal, no online gaming with Sony PlayStation. And they couldn’t even tweet about the problem — Twitter was down as well.

In all, 85 major sites were either showing signs of stress or simply not responding at all.

As it turned out, the underlying problem was a series of attacks — three in all — against the American Internet infrastructure. The first wave affected the East Coast. The second one affected users in California and the Midwest, as well as Europe. The third wave was mitigated by the efforts of Dyn, the DNS service company that was the main target of all three attacks.

Music services, media, and many other resources were affected. Amazon came in for special attention: a separate attack against it in Western Europe brought the site down for a while.

DNS and DDoS

So, how is it possible to disrupt so many sites with just three attacks? To understand this, you need to know what DNS is.

Can't get on a website? This is a live map, right now, of the massive DDoS attacks on Dyn's servers. It is creating many issues right now. pic.twitter.com/fekUqNgaL7

— Flying With Fish (@flyingwithfish) October 21, 2016

The Domain Name System, or DNS, is the system that hooks up your browser with the website you’re looking for. Essentially, each site has digital address, a place where it lives, as well as a more friendly URL. For example, blog.kaspersky.com lives at the IP address 161.47.21.156.

A DNS server works as an address book — it tells your browser at what digital location a site is stored. If a DNS server does not respond to a request, your browser won’t know how to load the page. That’s why DNS providers (especially major ones) form an important part of critical Internet infrastructure.

That brings us to DDoS. A distributed-denial-of-service (DDoS) attack floods the servers that run a website or online service with requests until they collapse and the sites they serve stop working. For a DDoS attack, criminals need to send an enormous number of requests, and that’s why they need a lot of devices to do it. For a DDoS attack, they usually use armies of hacked computers, smartphones, gadgets, and other connected things. Working together (but without their owners’ knowledge or consent) these devices form botnets.

Chinese manufacturer #recall #IOT gear following #Dyn #DDoS via @Mike_Mimoso https://t.co/SQBo8adUIi #infosec pic.twitter.com/bCtqwuSRmm

— Kaspersky Lab (@kaspersky) October 24, 2016

Knocking out Dyn

So, you see how it all happened: Somebody used a giant botnet against Dyn. It included tens of millions of devices — IP cameras, routers, printers and other smart gadgets from the Internet of Things. They flooded Dyn’s site with requests — a claimed 1.2 terabits per second. The estimated damage is about $110 million. However, the criminals responsible did not ask for ransom or make any other demands.

In fact, they did nothing but attack, and they left no fingerprints. However, hacker groups New World Hackers and RedCult have claimed responsibility for the incident. In addition, RedCult promised to follow up with more attacks in the future.

Why should the average user care about this stuff?

Even if the Dyn incident did not affect you personally, that does not mean you did not take part in it.

To create a botnet, criminals need a lot of devices with Internet connections. How many connected devices do you own? A phone, perhaps a smart TV, DVR, and webcam? Maybe a connected thermostat or refrigerator? Hacked gadgets serve two masters at the same time: For their owners, they work as usual, but they also attack websites at a criminal’s command. Millions of such devices took down Dyn.

This gigantic botnet was created with the help of Mirai malware. The malware’s action is rather simple: It scans for IoT devices and tries a password on whatever it finds. Usually people do not change their gadgets’ default settings and passwords, so the devices are easy to hack — that’s how they get conscripted into the zombified armies of Mirai and similar malware.

And that means that your connected TV could be a part of botnet, and you’d never know it.

A timely reminder: These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet https://t.co/RgjgRIJFy8

— Graham Cluley (@gcluley) October 24, 2016

In September of this year somebody used Mirai to take down the blog of IT security journalist Brian Krebs, overwhelming the server with requests from 380,000 zombified devices at up to 665 gigabits per second. The provider tried hold the line but eventually gave up. The blog started working again only after Google intervened to protect it.

Soon after that attack, a user going by the pseudonym Anna-senpai published the Mirai source code on an underground forum. Criminals of all stripes grabbed it at once. Since then, the number of Mirai bots has increased constantly; the Dyn attack occurred after less than a month.

Implicating the IoT

DDoS is a very popular type of attack. And using smart devices in such attacks is appealing for criminals — as we’ve already mentioned, the Internet of Things is buggy and vulnerable. That is not likely to change in anytime soon.

How will the Internet of Things affect cybersecurity? – http://t.co/fWScmf4QfQ pic.twitter.com/sAk1mcZPg5

— Kaspersky Lab (@kaspersky) April 9, 2015

Developers of smart gadgets do little to secure their devices and don’t explain to users that they should change the passwords on cameras, routers, printers, and other devices. In fact, not all of them even allow users to do so. That makes IoT devices perfect targets.

Today somewhere between 7 and 19 billion devices are connected to the World Wide Web. According to conservative estimates, that figure will reach 30–50 billion in the next five years. Almost certainly, the majority of these devices will not be powerfully protected. In addition, gadgets compromised by Mirai are still active — and new ones join its army of bots every day.

What about the longer term?

Criminals often use botnets to attack core industrial infrastructure — electrical substations, water utilities, and yes, DNS providers. Security researcher Bruce Schneier observes and opines that somebody is “learning how to take down the Internet” with the help of powerful and continuous DDoS attacks.

Botnets are getting bigger, and when those attack-tests are finished, it’s not unreasonable to believe a full-scale attack will start. Imagine dozens of simultaneous attacks as powerful as the Dyn incident was and you’ll understand what damage can be done. Entire countries could lose their Internet.

The #Mirai botnet has recruited nearly 500,000 #IoT devices since its source code was released – https://t.co/m8ooWKrjph

— Threatpost (@threatpost) October 19, 2016

How not to become a part of botnet

One person cannot stop botnets from crashing the Internet — but together we can do a lot by not joining a botnet. You can start with making your devices more secure so that Mirai and similar malware can’t take control of them. If everyone did that, botnet armies would shrink into insignificance.

To stop your printer, router, or refrigerator from plunging the world into Internet darkness, take these simple precautions.

1. Make sure you don’t leave default passwords on your devices. Use reliable combinations that cannot be brute forced easily.

2. Update firmware for all of your gadgets — especially the older ones — if possible.

3. Be selective in choosing smart devices. Ask yourself: Does this really need an Internet connection? If the answer is “Yes!” then take the time to read about the device options before buying. If you discover that it has hard-coded passwords, choose a different model.