Ever since the Mirai DDoS attack was launched a few weeks ago, we have received a number of questions that I will try to answer here. If you have more follow-up questions, please let me know! Who is the Author of Mirai?
The presumed developer goes under the pseudonym of 'Anna Senpai' on Hackforums - an English-speaking hacker forum.
His/her account on the forum is recent (July 2016). and was probably created when he/she started working on Mirai. For example:
July 10 - Begins "killing QBots" August 8 - Brute forcing telnet logins August 9 - Planning attack on OVH? . Hackers on the forum were obviously looking for a botnet to rent. Given this thread, it is possible OVH was not targeted by Mirai, or not by Mirai only. Other IoT botnets such as Kaiten are mentioned. Sept 19 - Discussing how to DDoS onion.toThe account does not reveal any personal data, apart from that Anna Senpei poses as a clever person, well informed on cybercriminality ( here or here , or here ), and arrogant .
His/her (actually, I'd vote for "he,” but that's a personal guess!) country of origin is unknown. The only possible hints are the following - but they could all be false leads:
Hack forum is an English speaking forum. Mirai means 'Future' in Japanese and in Chinese. Source code has references to Russian (could be copy/pasted) His/her skype login indicates he/she lives in Australia.Finally, note that "Anna Senpai" is very probably the developer of Mirai, but may not have been involved in all of the DoS attacks attributed to Mirai. Indeed, as the source code was publicly released on Sept 30, 2016, other individuals or cybercriminal groups may have downloaded and used it. Some will say this strategy is quite shrewd to complicate attribution. ;) On a positive note, inspection of the source code makes the malware easier to understand and detect. It may be viewed on several github repositories: here , here and here .
Who is Behind the Attacks?The most recent attack on Dyn was claimed by a group known as New World Hackers in retaliation for Ecuador's rescinding Internet access to WikiLeaks founder Julian Assange, who has been granted asylum at their embassy in London. Two members of this group said they did it to "test power.” So far, this claim hasn't been backed up by other data.
For other attacks: see the first question. Attribution is more difficult because the source code is now public.
Is the Malware Advanced?The source code does not implement any particular "exploit" and is therefore relatively easy to write. It is, however, quite well written, and the implementation of all types of floods requires some network programming knowledge.
Anyway, contrary to general belief, a malware need not be "advanced" to be efficient: the KISS principle (Keep It Simple, Stupid) works very well for malware...
List of Attacks Attributed to linux/Mirai Date Where Rate CommentsOct 21, 2016
Dyn DNS
1.2 Tbps?
Some of the attacks were coming from hosts infected with Mirai. Impacted Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix. New World Hacker group claimed responsibility. Size of botnet: 100,000.
Sept 22, 2016
OVH
1 Tbps
145,607 cameras and DVRs
Sept 13, 2016
KrebsOnSecurity.com
620 Gbps
More info from host Akamai
Aug 17, 2016
Incapsula
280 Gbps
Size of the botnet: 49,657 unique IPs. Most from CCTV cameras, DVRs and routers.
What is the Relationship of Mirai With Kaiten, Gafgyt, Bashlite etc? Comparing TsunamiELF/Gafgyt
Linux/Moose
PNscan
Linux/Remaiten
MiraiDate
2013
2014
2015
2015
2016
2016
Aliases
Kaiten
Gayfgt, Bashlite
KTN-Remastered, KTN-RM
Propagation via IP scanning
Telnet (23)
On port 10073 or 23
SSH (22)
Telnet (23)
Telnet
Password brute force