Anonymity. It is a characteristic that is often not viewed positively. We all want to be recognized for our accomplishments and actions, our most impressive or good-hearted deeds. However, sometimes, we would prefer to remain in the shadows – and that’s especially true for the criminals among us; after all, their identification could lead to jail time and other unwanted consequences.
Well, if anonymity is what you want, you probably should avoid prominence in the DDoS community – or face the wrath of Brian Krebs. Krebs, who specializes in information security, seems to have gotten a knack lately for unmasking malicious online parties. An independent investigative journalist specializing in security, he is probably best known as the guy who was targeted with one of the biggest distributed denial of service (DDoS) events of all time – and responded by following a trail of data crumbs to identify the specific person he believed was responsible for the mega-attack.
Let’s briefly review the initial attack on Krebs (with a massive army of Mirai IoT devices) last September and the revealing of the Mirai author in January. Then we will double back to begin the Bestbuy story in November, when he (Bestbuy = Daniel Kaye) and another hacker (or simply another identity for Kaye himself) started taking control of the botnet. From there we will proceed to the downfall of Bestbuy: his arrest in February. Then we will go over Krebs correct identification of Kaye prior to the release of his name (another victory by Krebs that should be noted); and, finally, the controversial suspended sentence that he received from the German court, the precursor to a trial he is expected to soon face in England.
- Bestbuy unmask prequel: Anna-Senpai
- From hacker duel to handcuffs
- Krebs fingers Kaye
- How to protect yourself from DDoS
Bestbuy unmask prequel: Anna-Senpai
At approximately 8 pm EST on September 20, 2016, KrebsOnSecurity started getting hit with a blast of bogus traffic that measured at 620 Gigabits per second. Krebs had DDoS protection and his site was not pushed offline; however, it certainly got his attention. It ends up being a kind of battle in a DDoS v. Krebs war. After all, they targeted Krebs, many think, because of a previous event. On September 8, less than two weeks prior to his site being hit, Krebs named two Israeli hackers who were behind a very successful DDoS-as-a-service company that brought in $600,000 over two years; and the two men that he named in that piece (both just 18 years old) were arrested two days later.
Krebs noted that he thought the attack was probably a retaliation against that article, saying that freeapplej4ck was a string contained within some of the POST requests during the DDoS attack. This term was “a reference to the nickname used by one of the vDOS co-owners,” Krebs said.
It certainly seems that those behind this Mirai assault were gluttons for punishment, since Krebs had already proven himself adept at tracking down hackers. Fast-forward to January, and Krebs fingered Paras Jha, Rutgers University student and president of the DDoS mitigation service ProTraf Solutions, as the author of Mirai. (Note that Jha has not been charged with any crimes, as of July 28, per Krebs.)
From hacker duel to handcuffs
The security world became fixated on Mirai following this assault on Krebs, for obvious reasons. In November, Motherboard indicated that the attack on Krebs – followed up by ones on Spotify, Twitter, German ISP Deutsche Telekom, and other major services – was headed for even darker territory. Two hackers, or one with two identities, had created another enormous botnet using a variant of Mirai, and they were offering it as a pay service (similar to vDOS).
One of the two hackers (or the only one, if it is the same person) was better at bragging than he was at spell-checking; after telling Motherboard that he had more than a million hacked IoT devices under his control, he boasted, “The original Mirai was easy to take, like candy from this kids” [sic]. He was referencing the hacker battle to be the new godfather of all these compromised devices. One popular perspective at the time was that the fresh strain was created by a current Mirai botmaster in order to enslave additional devices to its army.
Unfortunately for Bestbuy, law enforcement was soon on his tail. In February, British police arrested a 29-year-old man at a London airport; however, notably, they did not release his name. The arrest was the first one related to Mirai. The German Federal Criminal Police Office (BKA) noted that the 29-year-old was being charged with an attack on Deutsche Telekom – soon after which Kaye/Bestbuy had messaged Motherboard that he was one of the people behind it.
“Bestbuy is down,” concluded Jack B. of the DDoS research collective SpoofIT at the time.
Krebs fingers Kaye
How did Krebs identify Bestbuy? Here are key points made to connect Bestbuy to Kaye:
- When the Mirai botnet was used to take Deutsche Telekom offline, the registrant for the domain names affiliated with the servers controlling it were “Spider man” and “Peter Parker” (alter-ego of Spider-Man). The street address used for registration was in Israel.
- The IP that is tied to the botnet that took the German ISP offline was 126.96.36.199. Only nine domains have ever been associated with this IP address. Eight of those domains were related to Mirai. The one that was not was dyndn[dot].com, a site that sold GovRAT, a remote access trojan (RAT) designed to log keystrokes. GovRAT has been used to attack over 100 corporations.
- GovRAT was offered for sale by a user Spdr, with the email email@example.com, on oday[dot]today.
- Another malware service that was sometimes sold with GovRAT allowed people to fraudulently use code-signing certificates. Within the digital signature for that program was the email firstname.lastname@example.org.
- The email addresses email@example.com and firstname.lastname@example.org were the ones used for the vDOS usernames Bestbuy and Bestbuy2. (Remember Krebs’ article that identified the founders of that Israel-based DDoS-as-a-service ring.)
- In addition to access from Israel, Bestbuy and Bestbuy2 logged into vDOS from Internet addresses in Hong Kong and the UK. Bestbuy2 actually only existed because the Bestbuy account was canceled for logging in from those international addresses.
- A key member of the Israel-based IRC chat room and hacker forum Binaryvision.co.il had the email email@example.com and was nicknamed spdr01.
- Binaryvision members told Krebs that spdr01 was about 30; had dual citizenship in the UK and Israel; and was engaged.
- The Binaryvision users’ social accounts were both connected to a 29-year-old man named Daniel Kaye. Kaye’s Facebook profile had the alias DanielKaye.il (using Israel’s top-level domain) and was engaged to marry a British woman named Catherine. The profile photo is of Hong Kong.
- Daniel Kaye is listed as the registrant for Cathyjewels[dot]com, and the email address used for that domain was firstname.lastname@example.org.
- On Gravatar, the account Spdr01 uses the email address email@example.com.
Following Krebs’ story, he was proven right: Bestbuy said in court that he was responsible for attacked Deutsche Telekom using Mirai. Then, on July 28, Krebs wrote, “Today, a German court issued a suspended sentence for Kaye, who now faces cybercrime charges in the United Kingdom.” Notably (given the slap on the wrist from Germany), Kaye is expected to be extradited to the UK to face criminal charges there.
How to protect yourself from DDoS
The Mirai botnet is fascinating from the perspective of a mystery or web of information. However, it is not exactly fun to be hit with a massive barrage of bogus requests from an army of zombie routers. Is your company safe from DDoS? At Total Server Solutions, our DDoS mitigation service isolates attack traffic and allows only clean, inbound traffic to pass through to your server. Safeguard your site.