There are no rules or goals in Minecraft.
“The game is brilliant in a lot of ways,” observed Brian Krebs, a former Washington Post reporter and well-known cybersecurity blogger at KrebsonSecurity.com, talking about the incredibly popular Lego-like video game where players make things out of virtual blocks. “You can build anything and destroy anything. You just make up things as you go along.”
Paras Jha, a Rutgers University computer science major, was apparently a Minecraft devotee, playing the game with others in an on-line world where everyone knows each other by their screen names.
That was before the 21-year-old from Fanwood wrote the computer code that was later used by others in one of the biggest internet attacks of the decade.
The unsealing of federal charges Wednesday against Jha and two other young men in connection with a series of earlier cyber attacks was described by prosecutors in terms most familiar to a computer security expert. The trio, according to the feds, created and operated two “botnets” which targeted “Internet of Things” (IoT) devices, launching a powerful distributed denial-of-service or DDoS attack that crippled web hosting companies across the country.
But essentially what they were doing, according to authorities, was running a sophisticated high-tech protection racket.
Federal prosecutors have not provided much detail into what motivated them. However, investigators and computer security experts say it all may have begun with Minecraft, the game with no rules.
And the muscle they employed was a malicious computer software program they had written. That code was used by others–their identities still unknown–to infect hundreds of thousands of devices connected to the internet in a massive online attack in October 2016 that blocked access to Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, PayPal and many other popular websites.
No one has been charged in that incident, which came after Jha and others posted their malware on the Dark Web.
New variants of the code, meanwhile, have been picked up recently by cyber security researchers.
Playing the game
Jha, together with Josiah White, 20, of Washington, Pa., and Dalton Norman, 21, of Metairie, La., earlier this month pleaded guilty to creating and operating a network of compromised computers known as “botnets” that were used in a number of attacks on several host servers.
Jha also last week pleaded guilty to a series of separate attacks that took out the Rutgers computer network.
Appearing in court before U.S. District Court Judge Michael Shipp in Trenton, Jha acknowledged his involvement, but offered little more. His attorney, Robert Stahl of Westfield, said “Paras Jha is a brilliant young man whose intellect and technical skills far exceeded his emotional maturity.”
Investigators say Jha was immersed in online gaming culture, and was adept at writing code–the software that controls a computer.
But there is a dark side to cyber gaming. Popular game servers are often targeted for sport. And sometimes, for money.
Krebs, who was the first to link Jha to the cyber attacks and the software that caused them, said there is a lot of money to be made off hosting Minecraft servers. Some in the industry have told him it’s not hard to make $200,000 or more a month.
That did not go unnoticed.
“What started happening in 2013 and 2014 was the biggest Minecraft servers began to come under DDoS attacks,” said Krebs, noting that some of these operations were willing to “pay handsomely to protect them from these type of attacks, which are fairly complicated.”
Distributed denial-of-service, or DDoS attacks involve the hijacking of hundreds of computers, which are used to flood the internet connection of a targeted server or computers. Such an attack generates a barrage of so many fake requests for information that the server typically crashes under the assault.
“It only takes a while for some of these servers to be off line before someone says ‘screw it, I’ll find someplace else that doesn’t have problems,'” Krebs noted.
Jha was one of those who created a business offering his services to companies hosting Minecraft servers, to protect against DDoS attacks, said Krebs.
According to court filings, however, Jha had also created a botnet–a collection of hijacked computers that were infected with malware software used to launch the kind of distributed denial-of-service attacks that were plaguing many of the Minecraft game servers.
However, the targets of the worm Jha and others used to create the botnet was something that had not been seen before, according to the Justice Department. It burrowed into non-traditional computing devices connected to the internet, such as wireless cameras, home routers, and digital video recorders, the so-called “Internet of Things.”
“Some of these devices have no way to change default passwords,” noted Adam Alexander, an assistant U.S. attorney for the District of Alaska, where the hidden controlling software corrupting the internet-connected things was first discovered.
The authors of the botnet called it Mirai, named after a popular character in Japanese anime, according to FBI case agents who said the three were fans. The Justice Department said the Mirai botnet, at its peak, was made up of hundreds of thousands of compromised devices.
“Once they built the botnet, they sought to make money by renting it or extorting companies for money,” said William Fitzpatrick, the acting U.S. Attorney in New Jersey, where the botnet repeatedly hit the computer network at Rutgers University.
According to the government, Jha ran Mirai on computers from his family home in Fanwood.
Beginning in the summer of 2016, Mirai was deployed to conduct attacks against a number of game servers and hosting companies. Prosecutors said Jha contacted one company and demanded payment in exchange for halting the attack. They said he also bragged about his exploits using monikers such as “ormemes” and “Anna Senpai” on discussion boards, soliciting clients.
That bravado also served to unmask him.
Krebs began a deep dive into the Mirai botnet after his own site was forced offline by a DDoS attack for nearly four days.
Krebs tied to the malware to Jha earlier this year, publicly naming him after linking him to Anna-Senpai. But he believes the FBI already knew much of what he posted.
Indeed, when NJ Advance Media knocked on Jha’s door back in January after the Krebs post, his father said the FBI had interviewed his son, but denied he had any knowledge of the attacks.
In addition to those attacks, prosecutors said Jha and Norman made money with software that duped on-line advertisers.
“They build a botnet to commit click fraud,” said Fitzpatrick.
Click fraud is a scheme to artificially pump up the number of “clicks” on a particular website, to increase advertising revenue generally based on how many times someone clicks on a page. In Jha’s plea agreement, prosecutors said the student leased access to his click fraud botnet in exchange for payment.
“Because the victim activity resembled legitimate view of these websites, the activity generated fraudulent profits through the sites hosting the advertising content, at the expense of the on-line advertising companies,” noted the court filing.
That scam netted Jha and others 100 bitcoin, valued at the time at more than $180,000, said prosecutors.
Closer to home, even before those attacks, Jha admitted he had initiated DDoS attacks on the computer network at Rutgers University, where he was then studying.
In 2014, the university first began to get hit with a series of denial-of-service attacks that crashed Rutgers’ websites and cut off Internet and Wi-Fi access to tens of thousands of students, faculty and employees. The university, which had announced it planned to spend $3 million to upgrade its computer security system, was taunted by someone on Twitter using the screen name “exfocus.”
“where internet go?? 3m dollar gone?” asked one tweet.
In a courtroom in Trenton on Wednesday, Jha, who is no longer at Rutgers, admitted that he was “exfocus.” And he said he timed the attack during midterms when it would cause the most disruption.
He did not say why.
Prosecutors said toward the end of the scheme, Jha took steps to conceal his role in the Mirai botnet.
In September 2016, the government said he erased the files on his home computer and then posted the Mirai code online, “in order to create plausible deniability if law enforcement found the code on computers controlled by Jha or his co-conspirators.”
The following month, other hackers took the Mirai code and launched a massive cyber attack that crippled much of the internet, crashing Twitter, Netflix and other websites.
Who they are remains a mystery.
All three men have pleaded guilty in the District of Alaska to charges of conspiracy to violate the Computer Fraud & Abuse Act in operating the Mirai Botnet.
Jha pleaded separately in New Jersey to launching the cyber attack on the Rutgers University computer network.
He is to be sentenced in March.