Mirai Botnet Co-Author Sentenced to $8.6 Million Fine
The convicted co-author of the Mirai botnet has been ordered to pay $8.6 million in damages for launching a series of distributed denial of service (DDoS) attacks at Rutgers University late last year that took down the school’s main server and blocked internet access.
U.S. District Judge Michael Shipp sentenced the former student, Paras Jha, to six months of house arrest for violating the Computer Fraud and Abuse Act. Jha blasted out the DDoS attacks from November, 2014 to September, 2016, reportedly hobbling the school’s campuses for extended periods of time. During some of that time, Jha apparently taunted the University about the attacks through a local newspaper.
“Jha’s attacks effectively shut down Rutgers University’s central authentication server, which maintained, among other things, the gateway portal through which staff, faculty, and students delivered assignments and assessments,” U.S. Attorney Craig Carpenito said in a Justice Department statement. “At times, Jha succeeded in taking the portal offline for multiple consecutive periods, causing damage to Rutgers University, its faculty, and its students.”
Jha reportedly said that profit was not his motive in carrying out four DDoS attacks. He apparently did it for kicks, according to the Justice Department’s sentencing document (via KrebsonSecurity). He set off the first attack to give him time to register for a computer science class he wanted to take. A second attack was launched to delay an upcoming math exam. And, he evidently liked the notoriety the first two attacks had generated, the government said. Following the first wave of attacks, Rutgers spent some $3 million to improve its security profile. Rutgers did not comment on Jha’s sentencing.
Krebs pointed the finger at Jha in January, 2017 as a possible co-author of the Mirai malware, which crippled the Internet worldwide in September, 2016. According to Krebs, the FBI questioned both Jha and another hacker, Josiah White, about the botnet.
In a separate case, Jha, White and Dalton Norman, in late September were sentenced to five years probation, 2,500 hours of community services and ordered to pay $127,000 and accumulated cryptocurrency for launching the Mirai botnet. “The defendants attempted to discover both known and previously undisclosed vulnerabilities that allowed them to surreptitiously attain administrative or high-level access to victim devices for the purpose of forcing the devices to participate in the Mirai Botnet,” the feds said.
Jha, White and Norman posted source code for Mirai online beginning in the fall of 2016. Several copycat Mirai variants sprung up almost immediately that kicked off a number of subsequent, potent DDoS attacks.