In December 2017, the youthful authors of the devastating Mirai botnet admitted that, collectively, they were guilty of conspiracy to violate the Computer Fraud and Abuse Act (CFAA): one charge for the Mirai botnet, and two charges for a clickfraud botnet.
Which, in legalese, means…
…intentional damage to a protected computer, to wit knowingly causing the transmission of a program, code, or command to a computer with the intention of impairing without authorization the integrity or availability of data, a program, system, or information; and the computer was used in or affected interstate or foreign commerce or communication.
…and which, in English, means writing and implementing the code that led to the Mirai malware, which ensnared more than 300,000 Internet of Things (IoT) devices; launching multiple distributed denial-of-service (DDoS) attacks (including, unwisely, against security journalist Brian Krebs, whose response was to track them down and unmask them); renting the botnet out to third parties and then extorting money from hosting companies in exchange for not being targeted, or selling uniquely tailored “services” to victims in order to fend off such attacks; scanning for vulnerable devices to attack; and click fraud.
…All of which is estimated to have caused damage in excess of $100m.
Yeah, the FBI says, but they’re such smart guys. Let’s keep them around!
On Tuesday, on the FBI’s recommendation and the defense attorneys’ “Yes, please!”, an Alaskan court sentenced the three men to probation, community service and fines.
Each of the Mirai authors – 22-year-old Paras Jha Fanwood, of New Jersey; Josiah White, 21, of Washington, PA; and Dalton Norman, 22, from Metairie, Louisiana – was sentenced to five years’ probation and 2,500 hours of community service, some of which will be spent working with/for the FBI.
The men were also ordered to pay $127,000 in restitution for the damage caused by their malware, and voluntarily give up significant chunks of cryptocurrency seized during the course of the investigation.
Jha, White, and Norman came to the attention of the Feds when, in the summer and fall of 2016, they created Mirai. The powerful botnet was created with a collection of IoT gadgets infected with malware including wireless cameras, routers, and digital video recorders.
A fierce attack
The fury of the Mirai botnet was something to behold: the attack on Krebs’s site, for one, saw the generation of an astonishing combined total of over 600 gigabits per second of time-wasting network traffic.
Jha, White, and Norman tried to disassociate themselves from Mirai in the fall of 2016, when Jha open-sourced the code on a criminal forum.
According to the Alaska Attorney General, since the code was unleashed, other criminal actors have used Mirai variants in a number of other attacks. These ripples are still being felt.
Jha, White, and Norman used Mirai to infect over 100K devices between December 2016 and February 2017. Besides DDoSes, they made money by using the botnet in advertising fraud, making it look like a real user has clicked on an advertisement and thus fraudulently inflating ad revenue.
Back when Mirai got open-sourced, Paul Ducklin noted that it wasn’t exactly what you’d call the work of programming prodigies. In fact, he dubbed it “badly programmed and unfinished.” Not that it mattered, he said:
It works, and it’s effective primarily because of bad programming in the very IoT devices it uses to do its dirty work.
The FBI doesn’t seem to be deterred by sloppy coding, at any rate.
As the US Attorney’s office in Alaska said on Tuesday, Jha, White, and Norman have already cooperated “extensively” with the FBI.
The government had asked that their sentences include more of the same. From the sentencing memorandum:
The United States asks the Court, upon concurrence from Probation, to define community service to include continued work with the FBI on cyber crime and cybersecurity matters.
In a separate, eight-page document viewed by Wired, the government described how the trio has worked behind the scenes with the agency and the broader cybersecurity community to apply their computer expertise to more constructive uses ever since the FBI first came knocking 18 months ago.
Prior to even being charged, the defendants have engaged in extensive, exceptional cooperation with the United States Government [that’s been] noteworthy in both its scale and its impact.
In fact, the government estimates that prior to sentencing, the three men have collectively worked for more than 1,000 hours: equivalent to about six months of full-time work. Their efforts have made a serious contribution in nationwide and even global law enforcement and security efforts, the government said.
For example, they helped chase what appeared to be an Advanced Persistent Threat (APT) from a nation-state hacking group. They also worked with the FBI in advance of Christmas 2017 to help mitigate a tsunami of DDoS attacks. Last year saw an unprecedented number of DDoSes: one study found that in the first quarter alone, there was a stunning 380% increase in such attacks.
According to Wired, the court documents also suggest that the trio has been working undercover, both online and offline, including traveling to “surreptitiously record the activities of known investigative subjects,” and working with overseas law enforcement to “ensur[e] a given target was actively utilizing a computer during the execution of a physical search.”
Prosecutors and the defense attorneys agreed that the men were unlikely to reoffend.
In the case of Norman, for example, there’s nothing quite like being dragged out of bed in the “innocent, quiet, early morning hours” by a SWAT team brandishing firearms and escorting your 80-year-old grandmother out to the front lawn in her nightgown to slap some sense into a precociously talented but socially awkward young man with a speech impediment who still lives at home.
Norman, “devastated” by being the cause of his family’s home being ransacked, has expressed remorse from the get-go.
The government said that Jha was particularly helpful, devoting hundreds of hours of work in helping investigators. He’s since landed a paying job at a Silicon Valley technology firm, according to the sentencing memo, although the government declined to name which firm hired him.
Jha’s courtroom journey isn’t over just yet, however. He’s admitted to using Mirai to attempt a series of cyberattacks against Rutgers University, where he was enrolled as a computer science student at the time. He’s slated to be sentenced next week in New Jersey for those crimes.