Botnet bandits drop dimes on cybercrimes

The story of three American teenagers who banded together to create the devastating Mirai botnet serves as a cautionary tale of young, technically minded youths led astray.

Now, in a twist, a court has sentenced the three men to just five years of probation, with prosecutors citing their "extraordinary assistance and cooperation" with the FBI on other cybercrime investigations over the past year.

Paras Jha, Josiah White and Dalton Norman are apparently so good at tracking and identifying criminal botnet activity that the government would rather they continue their work, with the Department of Justice requesting that the court bump their community service requirements from 200 hours to 2,500 hours and to define community service to include continuing their work with the FBI on cybercrime and cybersecurity cases.

"The plea agreement with the young offenders in this case was a unique opportunity for law enforcement officers, and will give FBI investigators the knowledge and tools they need to stay ahead of cyber criminals around the world," said U.S. Attorney Bryan Schroder in a statement announcing the sentence.

In court documents, U.S. lawyers revealed that the trio has spent the past year working closely with the FBI's Anchorage, Alaska, office, applying the same skillset they once used as cyber criminals to find "novel ways" to crack down on botnet crime.

The three men worked "exhaustively" to identify botnet operators and proxy networks used to launch distributed denial-of-service attacks since being arrested and pleading guilty in 2017 to multiple violations of the Computer Fraud and Abuse Act, said Adam Alexander, assistant U.S. attorney for Alaska, where the case was investigated. 

"By working with the FBI, the defendants assisted in thwarting potentially devastating cyberattacks and developed concrete strategies for mitigating new attack methods," Alexander wrote in court documents.

Alexander also credited them with helping to mitigate a new attack vector using memcached servers capable of exponentially amplifying DDoS attacks. The vulnerability, which security researchers at the time characterized as "rare," led to a series of massive DDoS attacks in Europe and the U.S. earlier this year. 

The three worked with the FBI and security vendors to identify vulnerable servers and communicated with affected companies to quickly and drastically curb the volume and effectiveness of the attack to "mere fractions" in a matter of weeks. The defendants also helped reverse engineer botnet computer code, developed tools to help law enforcement examine cryptocurrencies, participated in briefings with companies and security researchers and reconfigured data seized from another notorious botnet, Kelihos, so that law enforcement could identify and notify victims.

Jha, White and Norman pleaded guilty in December 2017 to hijacking hundreds of thousands of internet-connected devices in order to execute DDoS attacks against businesses and competitors in service of extortion and click-fraud schemes. Their botnet, nicknamed Mirai, was substantially more powerful and sophisticated than others, and investigators characterize its activities against U.S. and European hosting companies in September 2016 as "the largest such [DDoS] attack ever recorded."

While attempting to throw investigators off of his trail, Jha posted the source code for Mirai to the internet in September 2016, a step that prosecutors called "the most damaging and significant acts," noting that the code has since "become the progenitor to countless descendant variations" of botnets worldwide.

In a Sept. 18 post, cybersecurity company Kaspersky Lab said that Mirai code still serves as "cybercriminals preferred option" for downloading malware onto internet-connected devices.