Mirai Co-Author Gets 6 Months Confinement, .6M in Fines for Rutgers Attacks
The convicted co-author of the highly disruptive Mirai botnet malware strain has been sentenced to 2,500 hours of community service, six months home confinement, and ordered to pay $ 8.6 million in restitution for repeatedly using Mirai to take down Internet services at Rutgers University, his former alma mater.
Paras Jha, a 22-year-old computer whiz from Fanwood, N.J., was studying computer science at Rutgers when he developed Mirai along with two other convicted co-conspirators. According to sentencing memo submitted by government prosecutors, in his freshman and sophomore years at Rutgers Jha used a collection of hacked devices to launch at least four distributed denial-of-service (DDoS) attacks against the university’s networks.
Jha told investigators he carried out the attacks not for profit but purely for personal, juvenile reasons: “He reveled in the uproar caused by the first attack, which he launched to delay upper-classmen registration for an advanced computer science class he wanted to take,” the government’s sentencing memo stated. “The second attack was launched to delay his calculus exam. The last two attacks were motivated in part by the publicity and outrage” his previous attacks had generated. Jha would later drop out of Rutgers after struggling academically.
In January 2017, almost a year before Jha’s arrest and guilty plea, KrebsOnSecurity identified Jha as the likely co-author of Mirai — which sprang to notoriety after a record-smashing Sept. 2016 attack that sidelined this Web site for nearly four days.
That story posited that Jha, operating under the pseudonyms “Ogmemes” and “OgRichardStallman,” gave interviews with a local paper in which he taunted Rutgers and encouraged the school to consider purchasing some kind of DDoS protection service to ward off future attacks. At the time, Jha was president and co-founder of ProTraf Solutions, a DDoS mitigation firm that provided just such a service.
The sentence handed down by a federal judge in Trenton today comes on the heels of Jha’s September 2018 sentencing in an Alaska court for his admitted role in creating, wielding and selling access to Mirai — malware which enslaves poorly-secured Internet of Things (IoT) devices like security cameras and digital video recorders for use in extremely powerful attacks capable of knocking most Web sites offline.
Prosecutors in the Alaska case said Jha and two co-conspirators did not deserve jail time for their crimes because the trio had cooperated fully with the government and helped investigators with multiple other ongoing cybercrime investigations. The judge in that case agreed, giving Jha and each of his two co-defendants sentences of five years probation, 2,500 hours of community service, and $ 127,000 in fines.
Prosecutors in Alaska argued that Jha had completely turned over a new leaf, noting that he was once again attending school and had even landed a job at an unnamed cybersecurity company. Sending him to prison, they reasoned, would only disrupt a remarkable transformation for a gifted young man.
However, the punishment meted out today for the Rutgers attack requires Jha to remain sequestered in his parent’s New Jersey home for the next six months — with excursions allowed only for medical reasons. The sentence also piles on an additional 2,500 hours of community service. Further, Jha will be on the hook to pay $ 8.6 million in restitution — the amount Rutgers estimated it cost the university to respond to Jha’s attacks.
Jha could not be immediately reached for comment. But his attorney Robert Stahl told KrebsOnSecurity today’s decision by the New Jersey court was “thoughtful and reasoned.”
“The judge noted that Paras’ cooperation has been much more extensive and valuable than any he’s ever seen while on the bench,” Stahl said. “He won’t be going to back to school right now or to his job.”
It is likely that Jha’s creation will outlive his probation and community service. After the Sept. 2016 attack on KrebsOnSecurity and several other targets, Jha and his cohorts released the source code for Mirai in a bid to throw investigators off their trail. That action has since spawned legions of copycat Mirai botnets and Mirai malware variants that persist to this day.
Update, Oct. 27, 9;30 am. ET: A previous version of this story incorrectly stated that the courthouse in Friday’s sentencing was located in Newark. It was in Trenton. The above copy has been changed.
This post first appeared on Krebs on Security