Journalist Brian Krebs ‘Unmasks’ Mirai Botnet Developer

The Mirai botnet, most famously used in an attack that brought down Twitter, Reddit, Netflix and other high-profile sites last year, was allegedly written by a young developer who started off in the business of protecting servers from denial-of-service attacks, according to a report.

The report by computer security journalist Brian Krebs, whose website was one of Mirai’s targets, uncovered a number of details indicating that “Anna-Senpai”, the pseudonymous creator of Mirai, is a young man named Paras Jha, founder of distributed denial-of-service (DDoS) attack protection firm ProTraf Solutions.

Minecraft protection

From operating high-profile Minecraft servers Jha went on to create ProTraf with a focus on protecting those servers from downtime, a highly competitive market, according to Krebs.

Minecraft, the second best-selling computer game of all time after Tetris, is offered on servers that allow players to interact in a single virtual world.

He then allegedly joined in the business ProTraf had been set up to combat, offering targeted denial-of-service attacks for $100 (£81) in Bitcoin for each five minutes of downtime.

He was paid by Minecraft server operators to launch attacks against rival servers and also used his botnet resources against competing DDoS protection firms, according to Krebs.

Open source

Krebs said Anna-Senpai – a reference to a popular Japanese cartoon – appears to be only one of dozens of online pseudonyms for Jha. “Mirai” is likewise a reference to the anime series Mirai Nikki, according to Krebs’ research.

ProTraf offered no comment except to tell Krebs it is “in the process of restructuring and refocusing what we are doing”, while Jha has not yet responded to requests for comment, Krebs said.

While Mirai – which draws on attack power from unprotected Internet-connected devices such as TalkTalk routers, cameras and set-top boxes – was initially for Anna-Senpai’s personal use, the developer later made the code public.

That public code was used in October of last year as part of an attack on Oracle-owned DNS provider Dyn which disrupted a number of high-profile websites.

Do you know all about security? Try our quiz!