- Fotolia

DDoS protection provider alleged to be Mirai botnet creator

Investigative journalist Brian Krebs believes distributed denial of service mitigation firm owner is the author of malware designed to enable massive IoT botnet-enabled DDoS attacks

Investigative security journalist Brian Krebs has claimed that a distributed denial of service (DDoS) protection provider is the most likely creator of the Mirai malware that was designed to carry out the largest DDoS attacks to date.

The Mirai malware enables attackers to hijack thousands of devices making up the internet of things (IoT), such as webcams, to launch DDoS attacks.

The malware was used to carry out a string of crippling DDoS attacks in September and October 2016 that affected several websites, including Twitter, Spotify, Reddit, PayPal and Krebs on Security.

Krebs, whose news site was hit by a DDoS attack of 620 gigabits per second (Gbps) in size on 22 September 2016, has since worked to discover the true identity of the malware author.

About a week after the attack on Krebs on Security, the attacker – using the name Anna-Senpai – released the source code for Mirai on an underground forum, spawning dozens of copycat attacks.

Targets included broadband providers Post Office Broadband and Kcom, and US domain name services firm Dyn, which resulted in Twitter and the other high-profile sites being taken offline.

A Mirai variant caused the mass shutdown of Deutsche Telekom routers, reportedly affecting more than 900,000 customers, and nearly 2,400 home routers across the UK were infected with a variant of the Mirai botnet code.

After “hundreds of hours of research”, Krebs claimed that Paras Jha, owner of DDoS attack mitigation company ProTraf Solutions, was the most likely creator of the Mirai malware.

Read more about Mirai

After the Mirai malware code was released, security experts expressed fears of a surge in powerful DDoS attacks capable of taking almost any company offline.

Initial investigations indicated that Mirai was the work of a person named Anna-Senpai, but Krebs says he eventually linked the name to Jha, who has also used the alias Dreadiscool and OG_Richard_Stallman.

He alleges that Jha and others created the Mirai code and used it to attack Minecraft servers to generate business for Jha’s DDoS mitigation service.

After months of research, Krebs claims that Ammar Zuberi, a former ProTraf Solutions colleague of Jah, informed him that Jah had admitted to being the author of Mirai.

But when Jah finally responded to a request for comment from Krebs, he denied creating the Mirai code and telling Zuberi that he had, according to an update to the original report by Krebs.

“I don’t think there are enough facts to definitively point the finger at me,” Jha told Krebs. “Besides this article, I was pretty much a nobody. No history of doing this kind of stuff, nothing that points to any kind of sociopathic behaviour. Which is what the author is – a sociopath.”

Read more on Hackers and cybercrime prevention