The Creator of the Mirai Botnet Unmasked
January 18, 2017 3:20 PM   Subscribe

Remember the Mirai botnet that took down Dyn and made most of the Internet unusable for a day back in October of 2016? Internet security expert (and also Mirai botnet victim) Brian Krebs, author of excellent blog Krebs on Security, has a massive, four-months-in-the-making investigation unmasking the creator of Mirai, and it reads like a really good thriller novel.
posted by Peemster (25 comments total) 47 users marked this as a favorite
 
Beat me to the punch, I was just writing this up!

Seriously though, this is absolutely fascinating. Twisting and turning through minecraft server feuds, forum sig photoshops... Not quite Gibsonian in its details, but definitely Shadowrun-esque.
posted by CrystalDave at 3:22 PM on January 18, 2017 [4 favorites]


Ha, sorry! Good reminder of what can happen when a blogger doesn't have to do churn and burn stuff day in and day out to make a living.
posted by Peemster at 3:24 PM on January 18, 2017 [6 favorites]


I love it. If there's one immovable constant in cybersecurity today, it's Do Not Fuck With Krebs.
posted by Itaxpica at 4:02 PM on January 18, 2017 [12 favorites]


Looks like Senpai's the one who got noticed this time...
*puts on sunglasses*
YEEEE-AAAAAAAH
posted by Strange Interlude at 4:09 PM on January 18, 2017 [10 favorites]


1) thank you for posting this, I'd been wondering who the dyn attacker was and I'm really glad it wasn't a state actor
2) this confirms my prediction that the next generation of techies with any skills at all would come from the Minecraft community
3) jesus christ, why are we letting a community of angry children damage significant portions of internet architecture
posted by gusandrews at 5:05 PM on January 18, 2017 [4 favorites]


also can we please not glamorize this shit by comparing it to Gibson, these kids are basically terrorists
posted by gusandrews at 5:07 PM on January 18, 2017 [4 favorites]


As an infosec guy on Team Blue, this reminds me how utterly out of my league I am.

Anna-Senpai is skilled enough to understand at the base metal of a variety of machines how to compromise them with C and ASM based attacks. He's up to date enough to make his compromised machines invulnerable to other attacks by creating security patch tools. He understands advanced routing at a Tier 1 level.

I've got some fancy-schmancy network appliances I put at the edge of our network I'm trying to get not to eat essential traffic, and I'm so lost in the minutae of custom crafting VOIP-friendly ALGs and tightening the application-aware firewall policies down to BDSM-corset-levels amidst the howls of web devs and DBA's, and I only sorta understand OSPF and BGP, enough to get the load balancers to do their thing. I do basic python and bash scripting (and I sneak in some racket, as lisp is fun).

I have a lot of trust in the vendors, and I know it's misplaced, but until ISPs take their human systems seriously, and start paying heavy financial consequences for betraying the trust of those upstream, this cyberpunk shit-show will keep on keeping on. What else can I do?
posted by Slap*Happy at 5:20 PM on January 18, 2017 [16 favorites]


Wow, thanks for posting. That was really fascinating.
posted by chasles at 6:08 PM on January 18, 2017


Wow, really fascinating article about a topic I knew zero about. Thanks for posting!
posted by latkes at 6:20 PM on January 18, 2017


Uh, sorry I weirdly copied your comment chasles, I guess I felt the same way!
posted by latkes at 6:21 PM on January 18, 2017


Knocking over Minecraft servers seems to be today's equivalent of local mafias extorting money from pool halls.
posted by acb at 6:29 PM on January 18, 2017 [5 favorites]


Anna-Senpai is skilled enough to understand at the base metal of a variety of machines how to compromise them with C and ASM based attacks. He's up to date enough to make his compromised machines invulnerable to other attacks by creating security patch tools. He understands advanced routing at a Tier 1 level.

While I understand the difficulties you face, none of this is rocket science. ASM isn't difficult, it just isn't taught any more; knowing ASM is called "knowing how the computer works." I don't agree with the once popular aphorism that "C is portable ASM," but it does try to be and does succeed above a certain level of abstraction. Those routing algorithms were all mostly worked out in the 1960's when there were maybe a dozen computers on Arpanet. We are abusing them in ways their creators could not have imagined, but they were very well designed.

When I taught myself to program if you didn't know ASM you couldn't make the machine do much of anything useful. Since 1990 or so it's been fashionable in CS to dump on ASM as a waste of time because the compiler can do it better. This is simply bullshit, and always has been. A lot of important knowledge has been thrown away because of a fashionable obsession with high abstraction and new tech. In college I was taught how floating point math works, what its limits were, and other fine points of finite math, which is the kind of math computers use. That mostly isn't taught any more either, and you see all kinds of amateur hour (lack of) rounding errors as a result, because people think "throw double precision at it" solves everything.

What Anna-Senpai did is actually much simpler than writing a virus, which has to work within the rather complex rules of an operating system to compromise a file, then after it delivers its payload somehow restore the file so it can seamlessly do what it was originally meant to do without revealing that it was compromised. That is pretty tricky, and also pretty different in every version of DOS and Windows. If you are targeting an embedded device for which you know the password, though, and nobody is trying to play Minecraft or watch porn on its monitor, all you have to do is use the manufacturer's standard method to update the firmware with a new image you've patched to make it your slave. Easy-peasy. Different for each potential device, but you only have to write it once for each model. You need ASM and C skillz to hack the existing firmware and graft on your patch, but it's much simpler than writing a virus for a PC.

I haven't written a virus, but I have reverse engineered a couple to create inoculators, and I have patched firmware in industrial embedded devices when the manufacturers couldn't fix problems I had identified.
posted by Bringer Tom at 6:31 PM on January 18, 2017 [16 favorites]


“When I saw that the Mirai code had been leaked on that domain at Namecentral, I straight up asked Paras at that point, ‘Was this you?,’ and he smiled and said yep,” Zuberi recalled. “Then he told me he’d recently heard from an FBI agent who was investigating Mirai, and he showed me some text messages between him and the agent. He was pretty proud of himself, and was bragging that he led the FBI on a wild goose chase.”

Criminals like this always make me wonder about the ones that keep their mouths shut.

Fantastic article by a great journalist. Can't believe the Washington Post was dumb enough to let Krebs go.
posted by longdaysjourney at 6:48 PM on January 18, 2017 [4 favorites]


"OG_Richard_Stallman"

That is all.
posted by GuyZero at 6:56 PM on January 18, 2017 [1 favorite]


Krebs is a badass.

They have swatted him, sent him heroin via courier, and a million other things -- and he parries every clumsy blow like a Kurosawa samurai. Then he comes back with a scoop on skimmers or botnets or identity theft and jumps ever farther ahead.

I love reading his stuff.
posted by wenestvedt at 7:11 PM on January 18, 2017 [3 favorites]


Itaxpica: "I love it. If there's one immovable constant in cybersecurity today, it's Do Not Fuck With Krebs."

From a Telegram chat tonight with a buddy.

Him, [18.01.17 20:48]
That dude has had so many DOS attacks

Me, [18.01.17 20:49]
I take it as confirmation of his awesomeness.

Him, [18.01.17 20:50]
Yeah
posted by Samizdata at 7:54 PM on January 18, 2017 [1 favorite]


He absorbs DDOS traffic and it just makes him stronger, like goddamn Galactus.
posted by wenestvedt at 7:59 PM on January 18, 2017 [5 favorites]


While I understand the difficulties you face, none of this is rocket science.

I can't do rocket science, either - I'm not dumb, I just can't protect my network with the lego-pieces I'm given. Mail appliance figures out most phishing patterns? Hey! Here's a new one it can't! An update comes down from on high and automatically applied to the appliance two days too late.

Relying on your users to protect their edge is bullshit. Trusting your peers as a major ISP is bullshit. Letting actual, no-kidding criminal protection rackets operate as a "DDoS Protection Service" is bullshit. DOJ needs to haul the lot of them in as racketeers. Won't, especially now won't now that the foxes are in charge of the hen-house in Trumpland.

The hell of it is, the real hell of it it is, it's the inside-out threats that do the worst damage. I really need to be focused on data outbound, but that's not as sexy as "The company site has been down for a half hour!" Usually for a half-assed ransom to make the DDoS stop, payable in DogeCoin or whatevs, and then they give up and move on when we don't pay right away.

TL:DR - "Team Red" is pretty much useless. I'm all siege-cannons and missile-turrets and building two full keys of Battlecruisers. They sign off on my edge network as OK! Doesn't matter. Bitlocker happens anyway.

The real threats are the ones not included in the default install of Kali.

It's by folks who understand people and routing and low-level systems programming better than I ever will, and can manipulate them at their leisure, where their fiercest opponent is that other bot-net operator, not me.
posted by Slap*Happy at 8:04 PM on January 18, 2017 [4 favorites]


The challenges we face in security can be summed up thusly:

Defense: Never make any mistakes.
Offense: Find any flaw.

Yes, it's a bit trite, but the ratio of skill required on the two sides is vastly different. Unfortunately, historically, only the offensive side gains glory. Most conferences focus on breaking things, but few outside academia focus on how to build more resilient systems.

Also, Krebs is awesome. He does yoeman's work.
posted by petrilli at 8:48 PM on January 18, 2017 [5 favorites]


Anyway, can't wait for The Internet Of Things!

Or has 'AI' (snort) taken over as this year's bullshit mill?
posted by GallonOfAlan at 10:50 PM on January 18, 2017 [1 favorite]


these kids are basically terrorists

No they aren't. There are many different types of crimes in this world. You don't have to call every bad thing "terrorism".
posted by ryanrs at 11:11 PM on January 18, 2017 [15 favorites]


One big takeaway for people not in the security business is that the DDOSers and the DDOS protection services are closely intermingled. Both sides are very aware they profit from the other, to the point it affects their business decisions. This includes even well-known companies like Cloudflare. It's not strictly good guys and bad guys here.
posted by ryanrs at 11:20 PM on January 18, 2017 [4 favorites]


He absorbs DDOS traffic and it just makes him stronger, like goddamn Galactus.

These days Krebs is actually getting free DDOS protection from Google's Project Shield, which provides DDOS mitigation services for journalists being targeted for their work. I think he's a great choice.
posted by Itaxpica at 4:30 AM on January 19, 2017 [3 favorites]


I just can't protect my network with the lego-pieces I'm given.

Yeah, that's a bummer. There are several things going on here. Phishing isn't really a technical problem; people have been taping a note with the password to their monitor since the invention of monitors. I don't think there's much you can do about that.

But the big problem today is the ridiculous universality of allowing OS updates to be pushed from the Internet without local intervention. All those routers were captured because the vendor left an open port for firmware updates. Same with most Windows computers hosed by malware. It's been awhile since anyone bothered compromising application programs.

And there is no reason for it to be possible to update the OS remotely. Really if it wasn't for the fact that nobody finishes software, including the OS, before releasing it any more there should be no reason to be able to update the OS at all. It should be in ROM. Or those files should be locked down so that it is physically impossible to rewrite them unless someone is holding a physical switch down. You can maybe make a small case for being able to update a PC OS because new peripherals come around and all, but a router? It's always going to be the same hardware.

The main reason for wanting to update the OS is, rather laughably, security updates, which would cease to be an issue if you couldn't modify the OS remotely.

And of course, this is something the malware writers understand; you can screw around with a default install of Windows all day long, but Papa Legba help you once malware has started hiding itself all over the place and locking things down. I've had to reformat several hard drives because of that.
posted by Bringer Tom at 5:07 AM on January 19, 2017 [2 favorites]


Cloudflare's position puts them in a very grey area; for his part, Krebs has called out Cloudflare for putting themselves in the grey zone.

With respect to DDOS protection, saying "it's not strictly good guys and bad guys" is like saying there are crooked cops. I mean, yeah, but I'm still gonna call the police if my house gets broken into. Google, as mentioned by Itaxpica, is a good guy here (Krebs re:Project Shield). Some ISP are run by good guys; Telia was noted in the article.

But regardless of if you're in computer security or not, put yourself in the seat of someone who makes a living running a Minecraft server. This thing puts bread on your table. You pay a company for a service, DDOS protection, and they're not providing this. Do you take a principled stand to stay with this company, or do you make a "simple" business decision to go with their competitors, the competitors who are the ones attacking them?

I don't know that I'd stay. Hell, I've already started drafting a response email; it starts "Do you have any proof?"
posted by fragmede at 5:32 AM on January 19, 2017


« Older Missing an old friend....   |   Rock, Pudge, and a Killer B Newer »


This thread has been archived and is closed to new comments