Investigative journalist publishes on possible identity of Mirai malware author

Spread the love

Investigative journalist Brian Krebs has published an extensive article about the person behind the Mirai malware. Someone used this malware to shut down Krebs’ site last year. The malware’s author previously published the source code under the name Anna-senpai.

Krebs’ investigation, which he says took hundreds of hours, consists mainly of various conversations with and between people who have knowledge of the people behind Mirai. The researcher’s conclusion is that the Mirai malware was most likely developed by the 20-year-old director of the company ProTraf, which, among other things, provides anti-DDOs services to Minecraft servers. He is known by several names, including ‘OG_Richard_Stallman’, ‘Dreadiscool’ and ‘Anna-senpai’. To keep track of all the names from the investigation, Krebs has prepared a list.

Krebs’ first clue is the realization that Mirai isn’t the first botnet made up of poorly secured Internet-of-things devices. Previous versions were known as Bashlite/Bashlight and Qbot. That first name also came up in an initial analysis of the ddos ​​on Brian Krebs’ site in September.

A ddos ​​group called ‘lelddos’, two members of which are in turn associated with ProTraf, used this malware. In addition, one of these members is said to have been the developer of the malware variants. The ddos ​​group mainly focused on attacks on Minecraft servers.

Due to these circumstances, Krebs is targeting ProTraf and the CEO of the company. The researcher mentions a strong similarity between the director’s programming skills mentioned on his LinkedIn profile and Anna-senpai’s profile on the Hackforums site. That’s the site where Anna-senpai released the malware in October. It turns out that this person developed the malware to take over devices infected with older variants such as Qbot, and thus build a more powerful botnet.

The ProTraf director used the Mirai botnet, among other things, to force providers to take Qbot-c2 servers offline, i.e. to zero them, and to extort various parties. He would not have carried out the attack on Krebs’ site himself; this would be the work of a client who rented the botnet from him for five thousand dollars a week.

Krebs’ research leaves some questions open, such as the exact reason behind publishing the malware’s source code and what the next steps are. It’s unclear whether the FBI will take action on the investigator’s discoveries. Due to the size of the research, it is not possible to name all parts, a detail is that the Mirai malware is named after the anime series ‘Mirai Nikki’. The malware’s author seems to be a fan of several series of that genre.

The message accompanying the publication of the Mirai source code

You might also like
Exit mobile version