Mirai botnet creators are now fighting crime on the side of the FBI

Published on September 22, 2018

Mirai botnet creators are now fighting crime on the side of the FBI

Original author: Garrett M. Graff
  • Transfer

Three defendants who stood behind the Mirai botnet - an online tool that caused destruction across the Internet in the fall of 2016 with the help of the most powerful distributed denial of service attacks - will face trial in Alaska on Thursday and will ask the judge to pass a new sentence: they hope that they will be forced to work for the FBI.

Josaya White, Paras Jah and Dalton Norman, each of whom was between 18 and 20 years old at the time of the creation and launch of Mirai, pleaded guilty to creating a malicious program in December. The botnet, which took control of hundreds of thousands of devices from the Internet of Things and united them into a digital army, began its existence as a tool to attack the hosters of Minecraft, but later grew to an online tsunami from malicious traffic that cut down entire hosting providers. At the time of his appearance at the height of the accusations of “Russian hackers” of interfering in the American elections, many were afraid that an unknown new enemy was about to bring down the Internet.

The creators, realizing that their creation turned out to be much more powerful than they had supposed, panicked and laid out its source code - this is the standard tactic of hackers hoping that when the authorities get to them, they will not find any code that would not be available publicly , and they cannot be easily blamed for its creation. The publication of the code led to other attacks that fall, as a result of one of which most of the Internet became unavailable on the east coast of the United States one day in October.

According to court documents, the US government recommends that each of these three receive a five-year suspended sentence and 2500 hours of community service.

However, the nuance is exactly how the government wants them to work out their term: “Next, the US is asking the Court, in consultation with the Probation Committee, to define community service in the form of ongoing work with the FBI on combating cybercrime and ensuring cybersecurity”, stated in the memorandum of conviction.

In a separate eight-page document, the government describes how, in the 18 months since the first contact of the FBI with the trinity, its members have actively worked with the agency and the broader cybersecurity community, applying computer skills to non-crime related work. “Even before the accusation, the accused engaged in extensive and exceptional cooperation with the US government,” the prosecutors wrote, saying that their cooperation “was remarkable both in scope and in consequence.”

It turns out that the trinity has already contributed to more than ten different policing operations and the security of the country and the whole world. In one case, they helped private researchers in search of a hacker group, the source of an “advanced and constant threat”; in another, they worked with the FBI before the previous Christmas to weaken the DoS attacks . The court documents also contain references to the fact that the trio worked undercover online and offline, went on business trips to “secretly document the actions of the subjects under investigation,” and once even worked with law enforcement officers in another country to “ensure that the suspect uses a computer at the time of the search. ”

The government believes that the trinity in the amount has already accumulated more than 1000 hours, helping the agency, which is equivalent to six months work experience.

This year, the defendants worked with the FBI in Alaska to stop the new version of DoS, known as Memcache, which uses a legitimate Internet protocol designed to speed up the loading of websites, to overload sites by sending regular requests. This little-known protocol was vulnerable, in particular, because many servers lacked authorization, which made them unprotected against attacks.

The court documents described how Norman, Jah and White in March eagerly set to work when attacks began to spread on the Internet, worked together with the FBI and the security industry to identify attack-prone servers. The FBI then contacted companies and manufacturers that could suffer from these attacks to help cushion their blow. “Thanks to the quick work of the defendants, the volume and frequency of Memcache DoS attacks were reduced within a few weeks, the attacks became functionally useless, and their volume was a small fraction of what was originally,” the accusers report says.

Interestingly, the trinity’s work area for the government was not limited to preventing DoS attacks. Prosecutors describe the voluminous programming work done by the defendants, including the creation of a program to facilitate the tracking of cryptocurrencies and associated private keys in various currencies. There were no details about the program in court documents, but according to the report, the program accepts various blockchain data from cryptocurrency inputs, and translates them into graphical form, which helps investigators analyze suspicious online wallets. "This program and its capabilities, created with the help of the accused, can seriously reduce the time it takes for law enforcement officials to conduct transaction analysis, because the program automatically determines the path of the selected wallet," the report says.

According to sources close to the case, the Mirai investigation provided a unique opportunity to solicit defendants who demonstrated excellent computer skills, distracted them from violations of the law, and attracted legal activities in the field of computer security.

The government points to the immaturity of the trinity in its sentencing recommendations, noting “the difference between their online image, where they were important, known and malicious hackers in the area of ​​criminal DoS attacks, and their relatively boring real lives in which they were unknown to anyone , immature young people living with their parents. ” None of them had been accused of crimes before, and the government notes the attempts of all three "in positive professional and educational development, with varying success." As noted in the report, “it was the lack of progress in the described areas that led the defendants to the criminal actions discussed here.”

In a separate note, lawyer Josayi White, in the year Mirai started running home schooling and graduates of the Pennsylvania Cyber ​​Schools, explains: “He made a mistake, made the wrong decision, but then turned it into very useful actions for the government and a training system for himself.” ".

After capturing the creators of Mirai, the government hopes to redirect them to a more productive life - starting with 2500 hours of work with the FBI, security experts and engineers. As the prosecutors wrote: "All three will have good prospects for training and employment if they decide to use them instead of continuing to engage in crime." This should result in about a full year of work for the FBI for a full day, which is likely to be broken into a five-year suspended sentence.

Interestingly, court documents describe the current work of the defendants on other cases of DoS attacks, and said that the FBI office in Alaska is continuing “an investigation into the many groups responsible for large-scale DoS attacks and seeks to continue working with the accused.”

A small cyber squad FBI in the city of Anchorage has appeared recently, and over the past few years has become the main unit to combat botnets; Just last week, division head William Walton arrived in Washington to receive an award for his work on the Mirai case from the hands of the FBI director, one of the highest agency awards. The same week, the creator of the botnet Kelihos, Russian hacker Peter Levashov, pleaded guilty in a Connecticut court in another case, also working with the FBI unit from Anchorage and a cyber department from New Haven. Judging by the court documents, the defendants in the Mirai case also had a hand on this botnet, helping to develop the scripts that identified the victims of Kelihos after the sudden seizure of botnet control and the arrest of Levashov in Spain last April.

The investigation into the Mirai case, led by agents Elliot Peterson and Doug Klein, responded in an interesting way in another Peterson case. In 2014, the agent led the indictment Yevgeny Bogachev, one of the most wanted cybercriminals on the FBI list, who allegedly committed many financial crimes through the GameOver Zeus botnet. In this case, investigators determined that Bogachev - who lived in Anapa - is behind many versions of malicious software known as Zeus, a favorite means for hacker attacks in the digital underground. Something like Microsoft Office for online scam. The FBI has been hunting for Bogachev for years on several occasions, while he was developing new, improved versions of the software. In 2014, during investigative activities related to the GameOver Zeus, investigators decided that Bogachev was cooperating with Russian intelligence in order to draw the botnet’s capabilities into intelligence gathering and to search secret information on infected computers in countries such as Turkey, Ukraine and Georgia.

The GameOver Zeus case was one of the earliest examples of current cases of how Russian criminals collaborate with Russian intelligence services. In a similar case, which became known last year, the US government described how well-known Russian hacker Alexey Belan worked with two representatives of the Russian special services on hacking Yahoo. The blurring of the line separating online criminals and Russian special services has become a key factor in turning the country into a state that does not recognize international norms, the most recent example of which was the launch of the extortionate virus NotPetya .

In Alaska, an FBI courtroom will offer its version of how the government can deal with a similar problem. It is also happy to master the expert experience of hackers criminals caught within the country. But first, it forces them to stop criminal activity, and then wraps their computer skills to preserve the safety and health of the global Internet.