How Minecraft Led To The Mirai Botnet

from the just-a-little-unfriendly-competition dept

The Mirai botnet that swept through poorly-secured devices last year resulted in unprecedented denial-of-service attacks. At one point, the botnet turned its wrath on security researcher Brian Krebs' site, resulting in a sustained attack that saw Krebs' DDoS protection service (Akamai) say it was getting too old for this shit uninterested in providing further protection for this particular user.

The people behind the botnet have just pled guilty to federal charges.

Three men have pleaded guilty to federal cyber-crime charges for launching a cyberattack last year that knocked large parts of the internet offline.

Paras Jha, Josiah White, and Dalton Norman were indicted by an Alaska court in early December, according to documents unsealed Wednesday.

The Justice Dept. released a statement later in the day confirming the news.

Prosecutors accused the hackers of writing and using the Mirai botnet to hijack vulnerable internet-connected devices to launch powerful distributed denial-of-service (DDoS) attacks.

According to Jha's plea agreement, the botnet ensnared more than 300,000 vulnerable devices.

But the story behind the botnet suggests it was never meant to become a global threat or used to target researchers like Krebs. The malware was far from benign, but it wasn't written to bring the internet to its knees. It was meant to do something much simpler.. Garrett Graff has put together an amazing story of Mirai's origin over at Wired -- one that begins in a college dorm room and involves crafting tables, zombie pigs, and battles for server superiority.

As the 2016 US presidential election drew near, fears began to mount that the so-called Mirai botnet might be the work of a nation-state practicing for an attack that would cripple the country as voters went to the polls. The truth, as made clear in that Alaskan courtroom Friday—and unsealed by the Justice Department on Wednesday—was even stranger: The brains behind Mirai were a 21-year-old Rutgers college student from suburban New Jersey and his two college-age friends from outside Pittsburgh and New Orleans. All three—Paras Jha, Josiah White, and Dalton Norman, respectively—admitted their role in creating and launching Mirai into the world.

Originally, prosecutors say, the defendants hadn’t intended to bring down the internet—they had been trying to gain an advantage in the computer game Minecraft.

Minecraft may seem to be a cooperative game, but competition for server traffic is anything but. Popular servers charge players rent for online real estate, allowing them to set up semi-persistent worlds for other players to visit. A popular server is big business. The Wired article says some server owners rake in $100,000/month during summer months when traffic is at its peak.

That's what these students were attempting to do when they unleashed their malware: DDoS competitors' servers to funnel players to theirs.

[A]ccording to court documents, the primary driver behind the original creation of Mirai was creating "a weapon capable of initiating powerful denial-of-service attacks against business competitors and others against whom White and his co-conspirators held grudges.”

Once investigators knew what to look for, they found Minecraft links all over Mirai: In an less-noticed attack just after the OVH incident, the botnet had targeted, a company in San Francisco that specializes in protecting Minecraft servers from DDoS attacks.

“Mirai was originally developed to help them corner the Minecraft market, but then they realized what a powerful tool they built,” [FBI agent Bill] Walton says. “Then it just became a challenge for them to make it as large as possible.”

The end result was a mammoth botnet of 200,000-300,000 enslaved devices capable of generating up to 1.1 terabits per second in junk traffic. Once the three realized what they'd unleashed, they dumped the code online in hopes of obscuring its source.

The whole story is a fascinating read, digging deep into the casual use of botnets and DDoS attacks by Minecraft server owners and the mostly-accidental thermonuclear-level havoc it wreaked on the internet. Unfortunately, you'll also learn little has been learned by manufacturers -- and users -- of internet-connected devices in the aftermath of these attacks.

Two weeks ago, at the beginning of December, a new IoT botnet appeared online using aspects of Mirai’s code.

Known as Satori, the botnet infected a quarter million devices in its first 12 hours.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dalton norman, josiah white, minecraft, mirai botnet, paras jha, server wars, servers

Reader Comments

Subscribe: RSS

View by: Time | Thread

  • identicon
    Anonymous Coward, 15 Dec 2017 @ 1:47pm

    But, Russia!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Dec 2017 @ 2:48pm


      Nice snark. But those of us who actually spend our days and nights researching this stuff know better than you -- FAR better than you -- what the Russians have been up to.

      And no doubt the CI pros with access to SIGINT and HUMINT know FAR better than we do.

      And the bad news is that it's not just the Russians. The Chinese are all over this too. We've hastily built and deployed tens of millions of IoT devices with little-to-no security and thus the question is not *when* they'll be compromised -- they already are. The question is by whom and for what purpose.

      It's not an exaggeration to say that the single best thing we could do for cybersecurity in the US would be to shut down every IoT device and leave it that way.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Dec 2017 @ 5:38am

    So I hate it devices, the only thing in our house that might qualify is our home alarm. Is there any way to tell such a device is infected and then clean it?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Dec 2017 @ 7:58am

    IOT devices are a sinister plot hatched by those who want to take over the world.

    1) deploy millions of easily hacked internet connected devices
    2) create havoc with IOT bot net
    3) pass new draconian laws severely restricting internet activity (conveniently leaving IOT alone)
    4) ???
    5) PROFIT!!!!

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 16 Dec 2017 @ 8:17am

    They use Minecraft to teach kids to code.
    The kids used Minecraft to show us how horrible the internet of shit is.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 18 Dec 2017 @ 6:10am

    Krebs had a follow up where he basically found out the identity and most of this during the whole incident back then. They picked up the wrong target to mess with.

    I keep wondering if this brilliant youth used their capabilities to help others, how much better we could be now. (Sounds like an old man but I'm just a few years ahead of them).

    reply to this | link to this | view in chronology ]

  • identicon
    Guest, 18 Dec 2017 @ 5:47pm

    Why is the venue of this plea agreement ALASKA when the hooligans are all east coast kids?

    reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)


Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.