26
Oct 18

Mirai Co-Author Gets 6 Months Confinement, $8.6M in Fines for Rutgers Attacks

The convicted co-author of the highly disruptive Mirai botnet malware strain has been sentenced to 2,500 hours of community service, six months home confinement, and ordered to pay $8.6 million in restitution for repeatedly using Mirai to take down Internet services at Rutgers University, his alma mater.

Paras Jha, in an undated photo from his former LinkedIn profile.

Paras Jha, a 22-year-old computer whiz from Fanwood, N.J., was studying computer science at Rutgers when he developed Mirai along with two other convicted co-conspirators. According to sentencing memo submitted by government prosecutors, in his freshman and sophomore years at Rutgers Jha used a collection of hacked devices to launch at least four distributed denial-of-service (DDoS) attacks against the university’s networks.

Jha told investigators he carried out the attacks not for profit but purely for personal, juvenile reasons: “He reveled in the uproar caused by the first attack, which he launched to delay upper-classmen registration for an advanced computer science class he wanted to take,” the government’s sentencing memo stated. “The second attack was launched to delay his calculus exam. The last two attacks were motivated in part by the publicity and outrage” his previous attacks had generated. Jha would later drop out of Rutgers after struggling academically.

In January 2017, almost a year before Jha’s arrest and guilty plea, KrebsOnSecurity identified Jha as the likely co-author of Mirai — which sprang to notoriety after a record-smashing Sept. 2016 attack that sidelined this Web site for nearly four days.

That story posited that Jha, operating under the pseudonyms “Ogmemes” and “OgRichardStallman,” gave interviews with a local paper in which he taunted Rutgers and encouraged the school to consider purchasing some kind of DDoS protection service to ward off future attacks. At the time, Jha was president and co-founder of ProTraf Solutions, a DDoS mitigation firm that provided just such a service.

The sentence handed down by a federal judge in Trenton today comes on the heels of Jha’s September 2018 sentencing in an Alaska court for his admitted role in creating, wielding and selling access to Mirai — malware which enslaves poorly-secured Internet of Things (IoT) devices like security cameras and digital video recorders for use in extremely powerful attacks capable of knocking most Web sites offline.

Prosecutors in the Alaska case said Jha and two co-conspirators did not deserve jail time for their crimes because the trio had cooperated fully with the government and helped investigators with multiple other ongoing cybercrime investigations. The judge in that case agreed, giving Jha and each of his two co-defendants sentences of five years probation, 2,500 hours of community service, and $127,000 in fines.

Prosecutors in Alaska argued that Jha had completely turned over a new leaf, noting that he was once again attending school and had even landed a job at an unnamed cybersecurity company. Sending him to prison, they reasoned, would only disrupt a remarkable transformation for a gifted young man.

However, the punishment meted out today for the Rutgers attack requires Jha to remain sequestered in his parent’s New Jersey home for the next six months — with excursions allowed only for medical reasons. The sentence also piles on an additional 2,500 hours of community service. Further, Jha will be on the hook to pay $8.6 million in restitution — the amount Rutgers estimated it cost the university to respond to Jha’s attacks.

Jha could not be immediately reached for comment. But his attorney Robert Stahl told KrebsOnSecurity today’s decision by the New Jersey court was “thoughtful and reasoned.”

“The judge noted that Paras’ cooperation has been much more extensive and valuable than any he’s ever seen while on the bench,” Stahl said. “He won’t be going to back to school right now or to his job.”

It is likely that Jha’s creation will outlive his probation and community service. After the Sept. 2016 attack on KrebsOnSecurity and several other targets, Jha and his cohorts released the source code for Mirai in a bid to throw investigators off their trail. That action has since spawned legions of copycat Mirai botnets and Mirai malware variants that persist to this day.

Update, Oct. 27, 9;30 am. ET: A previous version of this story incorrectly stated that the courthouse in Friday’s sentencing was located in Newark. It was in Trenton. The above copy has been changed.

Tags: , ,

45 comments

  1. should have got hard jail time to discourage others from doing this.

    • DelilahtheSober

      I agree with you that six months of home confinement is ridiculous, however the $8.6 million dollar fines and penalties will follow this young man to the grave.

      • He won’t be paying on this forever.

        He’ll most likely be making payments for the full term of his probation, and the rest will go unpaid. It will only be temporary financial ruin.

        It’s like the 15 year old getting hit with a $36m fine for setting the Eagle Creek fire in Oregon. He will most likely pay under $50,000 towards it.

        • Jonathan Marcus

          @Bluephoria, cite for that? I was under the impression that criminal fines were not dischargeable.

          I think the Eagle Creek fire fine was for restitution, which might make a difference? Also, it was assessed on a minor. And finally, I believe it was from a state court, not the feds.

          This was a criminal penalty assessed on an adult by a federal court. My uninformed guess is that Delilah is right. This fine will dog him until the day he dies.

      • CaliforniaSucks

        California Judge is to blame for this bullsh*t

    • 2500 hours of community services is a decent alternative to prison to be honest, he’ll be working – bored out of his head for that time.

      I just wish we saw more X thousand hours of community service handed out rather than 100 here and 250 there. It can be a good deterrent on it’s own, damn sure I wouldn’t want to have to spend a year working full time picking up trash unpaid.

      Assuming he has to do it all – enforcement is likely different in each state/country these days.

      • His community service is cooperation with the FBI, not picking up garbage, the court documents say this. In reality his cooperation is going to be things he likes doing anyway

  2. ” sentenced to 2,500 hours of community service, six months home confinement, and ordered to pay $8.6 million in restitution “. He has become a living paradox: how could such a smart person be so stupid? I have a suggestion for the community service: 2,500 hours of changing diapers in a nursing home. As for the court ordered restitution, I would like to introduce you to a lifelong companion, the word “garnishment”.

  3. The Sunshine State

    What he didn’t have autism, A.D.H.D. or some other excuse to explain his actions ?

    • bone spurs?

    • His lawyer stated in court yesterday that Jha was socially awkward, did not fit in with the Rutgers lifestyle, and had undiagnosed ADHD, for which he is now taking medication. It was not offered as an excuse, but that these issues have been addressed and he will not be committing additional crimes. He is currently working with the FBI and has helped them apprehend cyber criminals.

      However, I’m sure there are lots of socially awkward, misfit students with ADHD and they don’t attack the school’s computer systems with the world’s largest botnet.

  4. The $8.6 million fine is ridiculous. There’s no way it cost Rutgers that amount of money to respond to what sounds like a relatively minor DDoS.

    • 400+gbit floods are not relatively minor

    • Rudgers is a very large multi-campus multidisciplinary university.

      “…used a collection of hacked devices to launch at least four distributed denial-of-service (DDoS) attacks against the university’ networks.”

      So divide $8.6 million dollars by 4 …

      What I could find easily is the expenditures for fiscal year 2018-2019 is 4.3 billion dollars. I could not find a break-out for just the non-academic computer operations.

      I doubt they make public how many IoT devices they have, but they will have a lot of security cameras, access-control devices, and inventory-control devices.

      How much of the DDoS originated from IoT devices on the university’s own networks? Including stuff installed by students?

      And they have a large health-care operation, along with clinical trials. All of that will be computerized, along with Internet connections to other health care operations.

      All that disrupted by a massive DDoS attack. They most likely have equipment in place to mitigate most attacks, as the criminal element is always trying to get in, but to be completely cut off from the Internet really messes up productivity.

      Logistics, MattK.

    • It cost Rutgers several million dollars to deal with the record breaking DDOS attack launched against them.

      That doesn’t even count all the other victims.

    • MattK,

      I agree the fine was ridiculous. There is no way Rutgers spent that much to deal with a nuisance.

      I see how it’s terribly disruptive and annoying. That should open him up to being punished in the civil system, with KOS and Rutgers suing him for any expenses.

      But I fail to see why government prosecution and criminal sentencing should be involved. No one was physically harmed.

      • “No one was physically harmed”?!?! Is this your only standard for criminal prosecution? So robbing someone or some place is OK as long as nobody gets hurt?

        • Derek,

          Yes.

          Theft involving a weapon, threat, or force deserves criminal prosecution, because there is a physical or psychological harm to a human being

          Theft by botnet is fundamentally a dispute over property taken by deception, not force. No one got hurt. That belongs in civil court, not criminal.

  5. I have commited crime before too it was cyber crime and little bit stolen money loundering, i was guilty.. I said yes i did.
    I did 4 months jail time.
    In jail i readed books and did jail work out it was healty time there i was better person after that jail time.
    What can i say i commited crime and i did pay for this with my freedom.
    But to give away my freedom i got money at least.
    I got extratrated from country after prison 4 months.

    It was times when carding cybercrimes and all kind of tjings was popular.
    But now carding is over and i dont think much cybercrimes will last too system is slowly slowly getting more and more secured.

    But at least i said at court that, yes im guilty yes i did.
    Im from soviet block im now doing legal business nothing criminal anymore i learned my lesson hard way.
    I did hard time.. Jail was not nice place to be, food was not healty and with enough nutrions.
    Best way to earn a lot money is legal way crime is not good way old boys from carding business many are legal and 100% legimate now.
    And thats the way to be you can do morally bad things but with law and goverment everything must be allright.

  6. Another poster recently on this or a social media site
    was in favour of the death penalty for all such cyber crimes – these criminals put all our lives at risk – I second
    that recommendation.

    • How was your life put at risk? We don’t even give the death penalty to murderers unless the crime is especially heinous. Do you mean to say that his actions were worse than that of a violent offender?

      • People that think cybercrime deserves the death penalty are people that have a hard grasp on technology or anything technical. Their lack of intelligence creates a legitimate fear, but also fosters a deep sense of jealousy being left out not understanding how other people can understand something they are too incompetent to understand themselves.

  7. “That action has since spawned legions of copycat Mirai botnets and Mirai malware variants that persist to this day.”

    Yes, we constantly see scans from IPv4 hosts infected with Mirai-like malware. This type of traffic is very distinctive and easy to identify.

  8. Good report, that the local and network didn’t cover, that I watched. It’s old news now. So they won’t. A hefty fine a slap on the wrist, and a well paid job he can do from his local computer. Some pu ishment. I would bet, paying off the fine would be part of a two year contract.

  9. You have an error (in two places) – The court was in Trenton, NJ, not Newark.

  10. I would be a lot happier if this dirtbag had got at least 5 years hard time in the federal pen.

  11. Brian Fiori (AKA The Dean)

    I’m just a bit confused about one thing. Did he commit the IOT/DDOS attacks on Krebs after “turning his life around” and working with the FBI? In other words, has he already broken a promise to go on the straight and narrow to re-engage in this illegal activity? Or did both these convictions happen after all of his (known) illegal activity.

    If the Krebs attack came AFTER he had already come to an agreement with the FBI (or other law enforcement agencies), then the detention sentence was far too light, IMO. (The monetary penalty is more than adequate.)

  12. If FBI has found him he would have gotten 12 years—but Krebs found him so they needed to downplay the severity of his crimes.

    This is the real story of cyber security: federal law enforcement contributes nothing but a cloud of squid ink.

  13. Although I would never advocate the death penalty (!) for this type of crime I have to agree with others that *mandatory* prison confinement, minimum 3-5 years, should be imposed. Without this the government is essentially sending a green light signal.

    Of course it wouldn’t discourage those hell-bent on doing this at any cost but it certainly would scare off many others and he/she could just as easily help authorities from behind bars.

    • Home confinement at his parents is perfect… they have to feed and diaper him. He is not another tax payer burden / open mouth in the federal penal system. His sentence should be extended to years though.

      This approach should be used more widely. 3 time losers get the chain gain building roads and cutting grass…. takin’ it off here boss

  14. This is infrastructure terrorism. How much harm has this man done? Is it even calculable? Subtract from his lifetime the total hours he has cost others, and see where that leaves him. Probably at death penalty plus 100 years.

    • Maybe we should add up all of the people’s time you’ve wasted with this moronic comment and subtract it from your lifespan too

  15. “Paras Jha, a 22-year-old computer whiz from Fanwood, N.J., was studying computer science …”

    “The second attack was launched to delay his calculus exam.”

    “Jha would later drop out of Rutgers after struggling academically.”

    Script kiddie. I suspect he was embarrassed and annoyed that many others in his calculus classes did their homework and tests as fast as they could write the intermediate equations (to prove to the prof they knew what they were doing). These days most computer programming does not require calculus, competence with college algebra is adequate.

    Then again, his extracurricular activities (business) might have distracted him from his academic studies.

    • If you’re programming or coding, you’re not a script kiddie. That said, as programming requires the use of pre-existing libraries from other people’s code you could make the argument that anyone that didn’t invent a programming language and uses it is a script kiddie. I would error on the former, but I imagine that’s where you would fit with your lack of expertise as well.

  16. If Rutgers spent $8.6 million dealing with a couple DDOS attacks, their management should be in jail too.

    • Hear, hear!

    • I agree this is egregious. But as someone that has responded to these there are the things that really solved the problem, and there are the things you put in place to avoid future incidents that are tremendous overkill and if you roll those non-capitalized numbers into a random stack of receipts you could get to that number pretty quickly.

      An enterprise grade high availability reverse proxy fully kitted with WAF, DDoS protection, virtual patching, etc.. can easily get into 7 figures with more negotiation. and professional services to get it racked, stacked, and operational is going to be a massive expense that could easily cover 2-3 times that much.

      Security is a huge expense generator, largely because you have to do it, so experts run into consulting as soon as they are sniffed out by consulting firms. I’m a corporate guy, so I live the worst of both worlds. Average pay and all the responsibility for consultants’ mistakes.

  17. While there wasn’t anyone physically injured, you had better believe that re-mediating these attacks took funds away from students at Rutgers. This is theft, plain and simple.

    I would have liked to see some jail time, not for the Rutgers incident, but for releasing the code the way he did. It would be hard to estimate the amount of damage he did with that one selfish act, but it’s far, far larger than anything he did at Rutgers.

  18. I am kind of torn. Don’t do the crime if you can’t do the time. But prison would have been a death sentence for him.