In November of last year, Germany was left without Internet because of an attack of the botnet Mirai, that also was used in the attack to Dyn. The strength of Mirai and the botnets was what frightened, if malware like this had been able to leave the web to an entire country, we had to start worrying about motives.
Mirai was responsible for knocking down Brian Krebs’ website for several days. Since then she has been investigating who is behind her, and between the data she has collected and the connections to the world of Minecraft and LinkedIn, she has published in an extensive article in which she says she has signs of knowing who Anna-senpai is, Supposed author or authors of the botnet.
The process that Krebs has followed has taken hundreds of hours of work, so let’s try to explain the keys that have led this security expert to determine that the real identity of this avatar is Paras Jha, owner of Protraf Solutions.
A reminder: What is Mirai?
A few months ago we published an article detailing exactly what the botnets are. As such, Mirai scans IoT for poorly protected devices that it can use as replicas to launch distributed Denial of Service or DDoS attacks. These types of attacks are often used to “tear down” the network to businesses, personal web sites of influential people, government agencies and NGOs almost daily.
Mirai is able to collapse servers with junk traffic at speeds of 620 gbps, which is a disproportionate figure, only based on taking advantage of poorly protected devices to use as replicas.
This botnet overturned Brian Krebs’ website for four days last September. From what he himself has published, the choice of his personal web was not something casual. Everything would have been triggered by a matter of an article that someone had not liked.
The first clues: attacks on Minecraft servers
According to Krebs, Mirai is just the latest incarnation of a long-running botnet family. These include Bashlite, Gafgyt, Qbot, Remaiten and Torlus. Each one has a different name for fundamental differences in the code between them, but the base in all is the same.
These botnets would have started to be used in 2014 to attack Minecraft servers. Behind these attacks would be the group leldos, who used the malware to “knock down” the most important. Why Robert Coelho, vice president of ProxyPipe, a company specializing in protecting Minecraft servers:
The Minecraft industry is very competitive. If you are a player, and your favorite server is down, you can switch to another server. But for server operators, it all boils down to maximizing the number of players and getting a big, active and powerful server. The more players you have, the more money you make. But if they throw you, you can start losing players very fast, maybe forever.
ProxyPipe received the attention of leldos, who launched a DDoS attack at 300 gbps , and that were dedicated to provoke the players in Twitter:
At the time the attacks were launched, ProxyPipe relied on Verisign to protect against DDoS attacks. At this security firm they said it was the biggest attack they had ever seen , and would repeat themselves in 2015 after receiving threats from a then-teen named Christopher “CJ” Sculti.
Sculti was the owner and sole employee of a DDoS protection company called Datawagon (which tried to attract Minecraft world customers) whose servers were housed in the space of another company that sold protection to Minecraft servers called ProTraf Solutions.
ProTraf enters the scene
From ProxyPipe they are convinced that Leldos is formed by Sculti and ProTraf people. Why? The attack they suffered in 2015 coincided with the theft of Internet address space on their servers. It seems that the hijacked addresses went some way to FastReturn, something the Dyn company confirmed through an analysis (as well as confirmed the attack and the theft of addresses).
A few months after the attack, the manager of FastReturn went to work for ProTraf , selling most addresses assigned to FastReturn in the process. This person responds to the name of Ammar Zuberi, and denies any type of allegiance to them, although he incriminates CJ Sculti and ProTraf staff.
Zuberi led another piece of research, Josiah White, a pro-DDoS mitigation expert on ProTraf . In addition, White is the author of two botnets that we named a few lines above, Qbot and Bashlite, as he himself acknowledged before Brian Krebs (although he did not think his code would be sold or exchanged online). And again, ProTraf appears in the conversation.
Krebs begins to investigate the company and discovers that he only has another employee: Paras Jha , who is also the company president.
Who is Paras Jha?
As you can read in the LinkedIn profile of Paras Jha, the programmer / hacker / entrepreneur defines himself as follows:
Self-employed, in seventh grade he began to learn to program in a self-taught way in different languages. Today, its software development skills include C #, Java, Golang, C, C ++, PHP, x86 ASM and without forgetting web languages like Javascript and HTML / CSS.
Josiah White and CJ Sculti also appear as recommended profiles, although since the publication of the article by Brian Krebs, many users may have looked for them, which may not be significant.
Returning to Paras Jha, he worked several years for Minetime, one of the most popular Minecraft servers. This is not surprising considering that ProTraf was trying to attract customers from the Minecraft environment, but what caught Krebs’s attention is that Paras Jha’s abilities are the same as Anna-senpai’s , which details them in his profile. Hackforums.
Is Paras Jha Anna-senpai?
It was not until Krebs spoke with Josiah White that he began to suspect that this man could be the real identity of Anna-senpai. Apparently, he has tried to enter into different groups hackers , making very clear his set of skills in all his applications of entrance:
As we said, what Anna-senpai says know how to do and what Jha details in her LinkedIn profile is exactly the same. That said, Krebs began to further investigate the footprint of Paras Jha on the Internet. On the one hand, this programmer contributes to GitHub as dreadiscool , which is also the same alias used in a well-known forum about Minecraft. Forum where, by the way, still active. His last posts in that forum are of very technical nature, covering aspects that go from the programming to the DDoS attacks.
What else did Krebs find? On one hand Paras Jha is a user of MyAnimelist, where users post the series and movies they have seen within this genre. Among them is Mirai Nikki, from where Krebs deduces that he got the name of the malware. In your Reddit profile you can see great activity in posts related to DDoS attacks.
More evidence. Robert Coelho spoke with Anna-senpai on Skype without knowing the real identity of this user. However, his business partner realized that Mirai’s source code was very similar to another one posted on the dreadiscool GitHub. Here’s what he has to say about it:
[My partner] began to conclude that maybe Anna-senpai was Paras. He gave me lots of ideas, and after I did my own research I decided that he was probably right. [Paras and I] talked a lot by then and we used to participate in programming projects together. Now it is very good, but then it was not. I was still learning, and I taught him almost everything.
He likes to recognize his consciences, to be praised and other people to recognize how good he is. Presume a lot, in a nutshell.
Coelho said that not long after Minetime received a DDoS attack in 2013, Paras Jha joined Hackforums and shortly after he stopped responding to his messages:
He disappeared from the face of the earth. When he started hacking into Hackforums, I no longer knew him. He had become a different person.
For his part, Jha denies any association with Mirai, he told Brian Krebs:
I do not think there is enough evidence to point me out. Until the publication of this article, I was basically nobody. There is not a story about me doing this sort of thing, anything that signals any kind of sociopathic behavior. Which is what the author is, a sociopath.
We will see how events unfold in the future, but for now Brian Krebs seems to be very clear .
About2ZF77
