‘Who Is Anna-Senpai Mirai?’ Story Glossary

This document is to serve as a glossary for the story published January 18, 2017, Who Is Anna-Senpai, the Mirai Worm Author?

Ammar Zuberi: Founder of onetime cloud hosting firm FastReturn. Later went to work as a programmer for ProTraf Solutions. See ProTraf.

Anna-Senpai: A nickname for a Hackforums[dot]net user who built Mirai and subsequently used the forum to leak the source code for the malware. See Hackforums, Mirai.

Anime: Japanese animation films. According to the Mirai author Anna-Senpai, the Mirai malware takes its name from the anime series Mirai Nikki.

applej4ck: The Hackforums nickname for Yarden Bidani, an 18-year-old Israeli man who was arrested in September 2016 by Israeli authorities on suspicion of operating vDOS, one of the longest running, most powerful and most lucrative DDoS-for-hire services on the Internet. Bidani’s arrest and the closure of vDOS came just hours after a story on KrebsOnSecurity named Bidani and associate Itay “p1st0” Huri as co-owners of vDOS. See p1st0.

B Gate H Hei: An anime film series watched by both Paras Jha (dreadiscool) and Anna-Senpai. See Paras Jha, Dreadiscool.

Bashlite: A.K.A. “Qbot,” a precursor to Mirai. Protraf “DDos mitigation expert” Josiah White acknkowledged writing the Bashlite component that the malware used to spread to new machines. Several sources say White was involved in writing Mirai as well. See Mirai, Qbot, Josiah White.

BlazingFast: A Ukrainian ISP that has a reputation for hosting botnet control networks.

Botnet: A collection of hacked computers that criminals can control from afar and use for nefarious purposes.

Bulletproof hoster: An Internet hosting provider that criminals can count on to ignore abuse complaints about malware, spam and other Internet detritus. See BlazingFast.

Christopher “CJ” Sculti, Jr.: Owner of DDoS mitigation firm Datawagon. Since its inception, Datawagon has been hosted by ProTraf. Sculti is observed on two occasions in this story warning targets about incoming DDoS attacks moments before those attacks started. Sculti also admitted to building a botnet of 250,000 hacked Internet routers.

Datawagon: A DDoS mitigation company hosted by ProTraf and owned by Christopher “CJ” Sculti, Jr. Datawagon’s Internet address space contained a great deal of space that was hijacked from other companies without permission, and was used in massive spam campaigns.

DDoS: Short for “distributed denial-of-service” attack, a DDoS is a digital siege in which an attacker causes thousands of hacked systems to hit a target with so much junk traffic that it falls over and remains unreachable by legitimate visitors. While DDoS attacks typically target a single Web site or Internet host, they often result in widespread collateral Internet disruption.

Dox: [verb] The act of publishing someone’s personal information online and/or connecting an online alias to a real life identity.

Dreadiscool: The online nickname chosen by Paras Jha. This nickname shows up in discussion forums for a variety of topics related to computer programming and DDoS attacks.

Exfocus (a.k.a., “ogexfocus”): The Twitter account name used by the botmaster who claimed responsiblity for targeting Rutgers University in a series of DDoS attacks between 2015 and 2016. See Paras Jha.

FastReturn: A DDoS mitigation company owned by Ammar Zuberi; acknowledged involvement in the temporary theft of Internet address space from ProxyPipe in early 2015.

Francisco Dias: Owner of hosting firm Frantech, attacked twice by Anna-Senpai, once under the pseudonym OG_Richard_Stallman and once under the nickname “jorgemichaels”.

Golang: Until recently an obscure programming language created in 2007 by Google researchers.

Hackforums: An English-language forum that is overrun with young kids trying to learn how to hack so they can steal from or get one over on others.

Hypixel: The most popular Minecraft server, and a frequent target of DDoS attacks.

IoT: Short for the “Internet of Things,” in the context of this story it refers to a proliferation of cheap devices — such as Internet routers and security cameras — that may be vulnerable to compromise my malware and miscreants because of poor default security settings. Botnets like Mirai and Qbot are made up entirely of compromised IoT devices. See Mirai, Qbot.

Jesse Wu: Owner of Namecentral, a domain registrar created in 2013. See Namecentral.

Jorgemichaels: A throwaway nickname chosen by Anna-Senpai to communicate with Frantech owner Francisco Dias. See Francisco Dias.

Josiah White: An “enterprise DDoS mitigation expert,” and one of two main employees of ProTraf. Acknowledged authoring a portion of the Qbot IoT botnet code.

Lelddos: The name of a group of Internet hooligans that took to using IoT botnets in extortion attacks against Minecraft server operators and companies that defended those servers from attacks. According to Ammar Zuberi, the core members of lelddos were CJ and the two employees of ProTraf. See ProTraf, Ammar Zuberi, CJ Sculti.

LiteSpeed: The nickname used by ProTraf’s Josiah White on Hackforums.

Minecraft: A wildly popular computer game owned by Microsoft, which has sold more than a 100 million copies. Popular Minecraft servers can make upwards of USD $50,000 a month, which has made them prime targets of extortionists like the lelddos gang.

Minetime: Once a very popular Minecraft server that employed Paras Jha, later the owner of ProTraf.

Mirai Nikki: “The Future Diary”, this Japanese anime film series was the inspiration for the name of the Mirai botnet, according to the Mirai author Anna-Senpai.

Namecentral: Owned by Jesse Wu, an associate of CJ Sculti and Ammar Zuberi. Although it costs upwards of $8,000 a year to run a domain name registrar, Namecentral has sold just a few dozen domains since its inception. About half of them are vanity domains for Wu, CJ Sculti, and Ammar Zuberi. The rest are DDoS-for-hire services, including vDOS and the domain used to leak the Mirai source code. For more on Namecentral, see Spreading the DDoS Disease and Selling the Cure.

ogmemes123123@gmail.com: The email address used by the Mirai botmaster(s).

p1st0: The nickname used by the co-owner of vDOS. See vDOS, applej4ck.

Paras Jha: The owner of ProTraf Solutions. Many people and clues in this story identify Jha as none other than Anna-Senpai, the author of the Mirai botnet code.

ProTraf Solutions: A DDoS mitigation provider that specialized in protecting Minecraft servers from attacks. See Josiah White, Minecraft, Mirai and Paras Jha.

ProxyPipe: A DDoS mitigation firm owned in part by Robert Coelho. Like KrebsOnSecurity.com, Coelho’s company also was attacked by Mirai, as well as Mirai predecessors.

Qbot: An IoT botnet strain that Mirai was designed to destroy. See Josiah White.

OG_Richard_Stallman: One of the nicknames used by the miscreant who repeatedly DDoS’d Rutgers University, as well as a number of hosting providers. OG_Richard_Stallman also was the identity used in multiple extortion attacks against hosting firms. See Francisco Dias, ProxyPipe.

Robert Coelho: Owner of ProxyPipe. See ProxyPipe.

SWATing: A potentially deadly hoax in which an attacker calls in a fake hostage situation or bomb threat at a residence or business with the intention of sending a team of heavily-armed police officers to the target’s address.

vDOS: One of the longest-running and most powerful DDoS-for-hire services on the Internet. It made more than $600,000 in its last two years of operation, and its alleged proprietors were arrested in Israel last year not long after KrebsOnSecurity named them in an investigation.

Vyp0r: The nickname of a Hackforums member that ProTraf employee Josiah “LiteSpeed” White said forced him into publishing IoT botnet code online. See Qbot, Josiah White.