How Minecraft Led To The Mirai Botnet

from the just-a-little-unfriendly-competition dept

The Mirai botnet that swept through poorly-secured devices last year resulted in unprecedented denial-of-service attacks. At one point, the botnet turned its wrath on security researcher Brian Krebs' site, resulting in a sustained attack that saw Krebs' DDoS protection service (Akamai) say it was getting too old for this shit uninterested in providing further protection for this particular user.

The people behind the botnet have just pled guilty to federal charges.

Three men have pleaded guilty to federal cyber-crime charges for launching a cyberattack last year that knocked large parts of the internet offline.

Paras Jha, Josiah White, and Dalton Norman were indicted by an Alaska court in early December, according to documents unsealed Wednesday.

The Justice Dept. released a statement later in the day confirming the news.

Prosecutors accused the hackers of writing and using the Mirai botnet to hijack vulnerable internet-connected devices to launch powerful distributed denial-of-service (DDoS) attacks.

According to Jha's plea agreement, the botnet ensnared more than 300,000 vulnerable devices.

But the story behind the botnet suggests it was never meant to become a global threat or used to target researchers like Krebs. The malware was far from benign, but it wasn't written to bring the internet to its knees. It was meant to do something much simpler.. Garrett Graff has put together an amazing story of Mirai's origin over at Wired -- one that begins in a college dorm room and involves crafting tables, zombie pigs, and battles for server superiority.

As the 2016 US presidential election drew near, fears began to mount that the so-called Mirai botnet might be the work of a nation-state practicing for an attack that would cripple the country as voters went to the polls. The truth, as made clear in that Alaskan courtroom Friday—and unsealed by the Justice Department on Wednesday—was even stranger: The brains behind Mirai were a 21-year-old Rutgers college student from suburban New Jersey and his two college-age friends from outside Pittsburgh and New Orleans. All three—Paras Jha, Josiah White, and Dalton Norman, respectively—admitted their role in creating and launching Mirai into the world.

Originally, prosecutors say, the defendants hadn’t intended to bring down the internet—they had been trying to gain an advantage in the computer game Minecraft.

Minecraft may seem to be a cooperative game, but competition for server traffic is anything but. Popular servers charge players rent for online real estate, allowing them to set up semi-persistent worlds for other players to visit. A popular server is big business. The Wired article says some server owners rake in $100,000/month during summer months when traffic is at its peak.

That's what these students were attempting to do when they unleashed their malware: DDoS competitors' servers to funnel players to theirs.

[A]ccording to court documents, the primary driver behind the original creation of Mirai was creating "a weapon capable of initiating powerful denial-of-service attacks against business competitors and others against whom White and his co-conspirators held grudges.”

Once investigators knew what to look for, they found Minecraft links all over Mirai: In an less-noticed attack just after the OVH incident, the botnet had targeted ProxyPipe.com, a company in San Francisco that specializes in protecting Minecraft servers from DDoS attacks.

“Mirai was originally developed to help them corner the Minecraft market, but then they realized what a powerful tool they built,” [FBI agent Bill] Walton says. “Then it just became a challenge for them to make it as large as possible.”

The end result was a mammoth botnet of 200,000-300,000 enslaved devices capable of generating up to 1.1 terabits per second in junk traffic. Once the three realized what they'd unleashed, they dumped the code online in hopes of obscuring its source.

The whole story is a fascinating read, digging deep into the casual use of botnets and DDoS attacks by Minecraft server owners and the mostly-accidental thermonuclear-level havoc it wreaked on the internet. Unfortunately, you'll also learn little has been learned by manufacturers -- and users -- of internet-connected devices in the aftermath of these attacks.

Two weeks ago, at the beginning of December, a new IoT botnet appeared online using aspects of Mirai’s code.

Known as Satori, the botnet infected a quarter million devices in its first 12 hours.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dalton norman, josiah white, minecraft, mirai botnet, paras jha, server wars, servers