Mirai is responsible for some of the largest DDoS attacks ever seen
Mirai is responsible for some of the largest DDoS attacks ever seen

Anna-Senpai, the mysterious leaker of the Mirai code, has apparently been unmasked by Brian Krebs. Krebs, an investigative security journalist and founder of KrebsOnSecurity, was the subject of a record breaking DDoS attack which became the first in a series of record breaking attacks in late 2016, employing Mirai botnets.

Now, Krebs has published a lengthy history, the product of “hundreds of hours of research”, of his attempts to discover more about Mirai and the mysterious hacker who published its source code. The investigation navigates through Minecraft server wars, Anime aficionados and finally to the person behind the enigmatic Anna-Senpai persona.

The story starts with the Lelddos gang, a group of known DoSers emerging in around 2014, who would launch large attacks, commonly against Minecraft servers.

Minecraft, a popular world-creation game, draws tens of millions of users from all over the globe making the hosting of its servers a lucrative industry. One of Krebs' sources, Robert Coelho, runs Proxypipe inc. a company that specialises in protecting Minecraft servers from DDoS.

In 2015, Coelho claimed to have had his Skype account remotely shut down by the teenage owner of a competing DDoS protection company, CJ Sculti Jr. Skype was the main line of contact between Coelho and his customers.

At the time, Coelho claimed Sculti's company, Datawagon was tied to yet another Minecraft oriented DDoS protection company, ProTraf Solutions, which were trying to poach ProxyPipe's customers.  

After Coelho's Skype was disabled, ProxyPipe was relentlessly DDoSed. Krebs quotes Coelho as saying: “We told our customers that we knew [ProTraf] were the ones doing it, but some of the customers didn't care and moved over to ProTraf anyway because they were losing money from being down.”

Around the same time Krebs was also contacted by Sculti who claimed to have found 250,000 devices, most of them routers, exploitable with a “few sets of default logins”. Moreover, Sculti said he had uploaded and executed a binary on them.

One of Krebs' sources, a former employee for ProTraf, alleges Sculti Jr and the owners of ProTraf Solutions to be the Leldoss gang.

After perusing the LinkedIn page of ProTraf's president, Paras Jha, Krebs noticed distinct similarities between the skills listed on that page to another persona:  “After first reading Jha's LinkedIn resume, I was haunted by the nagging feeling that I'd seen this rather unique combination of computer language skills somewhere else online. Then it dawned on me: The mix of programming skills that Jha listed in his LinkedIn profile is remarkably similar to the skills listed on Hackforums by none other than Mirai's author — Anna-Senpai.”

Anna-Senpai had introduced himself on Hackforums by listing credentials and skills that were startlingly similar to Jha's LinkedIn page. After digging into Jha's online footprint, he found mentions that Jha commonly used the nickname “Dreadiscool” on a number of computer programming and minecraft forums, commonly discussing among other things, DDoS attacks.

A short while after the successive record-busting attacks on Krebs and OVH, a French hosting provider, Coelho's ProxyPipe was also attacked by a Mirai botnet. Coelho started to issue complaints to the firms that hosted the botnet. After a series of complaints to a variety of companies, that botnet's control server was killed by its host.

As it turned out Anna-Senpai was trying to do the same thing to rival botnets and killing Mirai's competition in the process. Anna-Senpai got in touch with Coelho, who was using a pseudonym, to congratulate him on the move.

During the conversation, Anna-Senpai divulged that the DDoSer had been renting out portions of his Mirai botnet. The rented botnets were used to deal largely the same fate that had so often befallen Coelho's business.

Coelho did not know who Anna-Senpai was when the hacker first got in touch, until a colleague noticed Dreadiscool post code that looked awfully similar to code in Mirai.

A former employee of ProTraf, Ammar Zuberi, eventually divulged to KrebsOnSecurity that Jha privately admitted responsibility for Mirai and a series of DDoS attacks on Rutgers, while Zuberi visited Jha at his Rutgers campus apartment.

When the Mirai code was released, it was published on a site registered via a little known domain name registrar, Namecentral. Zuberi told Krebs that only a handful of people knew of the registrar including Jha, Sculti Jr and Zuberi.

Zuberi told Krebs: “When I saw that the Mirai code had been leaked on that domain at Namecentral, I straight up asked Paras at that point, ‘Was this you?,' and he smiled and said yep”.

Although Jha had not responded by the time of publication, he later got back to Krebs denying involvement in the DDoS attacks on Rutgers and the authorship of Mirai. Jha added that while he was visited by Zuberi, he did not admit to leaking Mirai, calling the author of the malware, a "sociopath".

The publication of Mirai's code has been deemed groundbreaking. A late 2016 institute of Critical Infrastructure Technology report, entitled Rise of the Machines, called it a ‘quantum leap' in cyber-criminality “not because of sophistication or any innovative DDoS code, rather it offers a powerful development platform that can be optimised and customised according to the desired outcome of a layered attack by an unsophisticated adversary.”

While cyber-security company Digital Shadows said that that might be overstating the case, the revelation that a 20-year-old university student may be responsible for the most powerful DDoS attacks ever recorded is not inconsiderable news.

Mirai successively broke its own records with sprawling botnets constituted of most notably IoT devices. Once the malware infects a device it scans for others like it before executing a library attack, guessing passwords from a collection of commonly used default credentials.

The botnets it can create, forged from thousands of these vulnerable devices have highlighted great, and within the security industry often discussed, weaknesses within the IoT.  

When a Mirai variant attacked nearly a million routers of Deutsche Telekom customers, Graham Mann, managing director of Encode Group told SC Media UK, “We have millions of IoT devices worldwide, which through poor security [default passwords] are prime targets for botnets.”

“The sheer numbers provide attackers with immense computing power from which to mount devastating DDoS attacks. IoT devices are soft targets, they can be anywhere in the world, they won't have AV or security, owners will rarely update the firmware or configure them, and the majority of owners will have no idea that their devices are being misused for nefarious purposes.”

Steve Armstrong managing director of Logically Secure told SC that this investigation is an important one, throwing up several revelations: “It will be interesting to see the DDoS industry defends itself against some of the aspects brought to light by this investigation; it appears that several of the mitigation providers have alter egos that are the source of the very problem they claim to fight.”

A spokesperson for Rutgers university told SC, “we continue to cooperate with law enforcement authorities in connection with the ongoing investigation of the DDOS attacks. We have no further comment as the matter is under investigation.”

But aside from the clear revelations about the identity of Anna-Senpai, the story reveals an intricate ecosystem of DDoSers, starting as a seed within Minecraft communities.

The sheer amounts of money devoted to hosting servers were surprising enough, Krebs told SC,  let alone the fact that illicit competition practices involving DDoS were being honed here and then applied elsewhere.

DDoS for hire services used to be difficult to find and unreliable, added Krebs, “the guys who have been creating these tools have been kind of driving this business.”

With networks of hacked devices, “the ones who've been developing these IoT botnets have been able to supplement the firepower” which makes them stand out significantly, said Krebs. “These guys are coming up with solutions to problems which a lot of companies don't even know they have yet”.