Hacking Book | Free Online Hacking Learning


waterloo of hackers

Posted by forbes at 2020-03-04

Waterloo of hackers

In the history of literature @ light black Technology

On December 13, 2017, the United States Department of justice published a case. The file is not long, but it reveals a dusty past.

After the mystery case in the United States was solved, the FBI thanked a number of technology companies, including even a Chinese company (360 of the leader in red).

I found Li Fengpei, a mysterious security researcher of 360. I just wanted to gossip about the details of the case. Unexpectedly, he unexpectedly told me a whole treacherous story of the wave cloud, which even mixed with the shameful plot...

(the following story is deduced from Li Fengpei's oral and public information)

(1) Preface: ant zombies and mysterious hackers

On October 21, 2016, the sun was shining on the rotating earth, and the huge dividing line between light and shade was walking slowly on the earth. Most of China is entering a deep night, and the United States across the earth is just ushering in a late autumn morning.

A leaf of Manchester, New Hampshire, falls silently into the street, and a dark substance is rushing about in the cable beneath the road. Internet traffic from all over the world is flowing to the east coast of the United States, forming a flood of light speed movement, rushing to the server of domain name resolution service provider dyn.

There is no sign that all the entrances of dyn's server are full of garbage. As a domain name resolution service provider, dyn provides basic Internet security for most parts of the United States. It has a complete set of emergency plan itself, but just a few minutes after the plan was launched, they realized that the fierce attack had exceeded the imagination of the plan.

Like the Titanic, each cabin was filled with water one by one, and even the engine room on the bottom floor was not spared. Within minutes, dyn sank quietly into the Atlantic Ocean.

In major cities on the east coast of the United States, people look up at each other in unison, because the computers in front of them and the mobile phones in their hands are all in blank, and a series of services such as twitter, spotify, Netflix, airbnb, GitHub, reddit, paypal and so on have been paralyzed.

It was a long day, and the tide of attack came three times, each lasting about an hour. Internet services are on and off, and the east coast of the United States is in the biggest "Internet terrorist attack" after 9 / 11. This is clearly a disaster, because the United States as a whole is as helpless as a baby in the face of such attacks.

What happened?

It wasn't until the dust settled that the savage attack came from webcams and routers around the world. Yes, you are right. It's the small things that look "harmless to human beings and animals" sitting on your living room table. They used to lie quietly in the owner's house, only connected to the outside world through a net cable. However, it is this small network cable that has become the "string" for hackers to control puppets.

A mysterious virus, along the Internet cable into the door of countless families, invaded hundreds of cameras. In the eyes of the owner, these hardware are the same. However, their indicator lights seem to turn into red eyes, like infected zombies, turning their guns around in cyberspace, spitting out new viruses to the Internet crazily.

In this way, hundreds of thousands of hardware devices on the earth constitute a huge "botnet". This Botnet, like a group of cannibal ants, sends out a uniform garbage access, running around the network world, where the network will be paralyzed and will not survive.

In fact, these non thinking cameras are all controlled by the same "mysterious hacker". No one knows who the mysterious man is and who the muzzle of his gun will point to. People fall into endless panic...

What's less known is that just 31 days ago, there was a rehearsal of the same attack.

(2) Krebs, the Waterloo of the great God

Krebs is a righteous American investigative journalist.

He is a bit like "the ark of the hacker world", which aims to expose the "dark industry" on the Internet to readers. His daily job is to use his own website "krebsonsecurity. Com" for example, "who is the leader of a DDoS Gang", "a company has suffered data leakage", etc. No matter how bizarre things are, he can investigate them. Just like Mike Moore, the director of hate America.

(I think crabbes has a just face. His image on his official website is like this

Obviously, the black materials often offend the big brothers of all kinds of gangsters. Krebs on security website was attacked for three days and two days. In fact, he often received threatening physical mail, and even unknown police officers were used to make trouble for him. Investigative journalists have a miserable life indeed...

On September 20, 2016, just a month before the outbreak of Mirai virus, krabs found that his website had suffered a huge traffic DDoS attack. Yes, even the man of insight had never seen such a large traffic attack, with a peak of 665g. In such an attack, let alone a website, even the city's main network is almost hung up by it.

(crabbes wrote a sentiment on "a website that doesn't exist")

Of course, crabbes was not a vegetarian either. He immediately called friends and found a service provider who had been cooperating with him to help him "carry" the attack.

Figuratively speaking, DDoS attack is like the "Golden Mountain" of the white lady, and the only way to defend it is "Dayu flood control" - excavation of river channels. Crabbes' Savior is the well-known Akamai company, the world's largest CDN network distributor, which claims that 30% of the world's traffic passes through its own hands. The "river width" in their hands must be a lever.

Although Akamai accepted the task with confidence, the biggest attack they had seen before was 363g, almost half of this time. After two days of vigilance, Akamai counseled. They found that the wave of attacks increased without decreasing, and the consumption of resources would be very terrible if they continued to defend, and even normal business could not be done. So he said to crabbes that he couldn't help. Please come back...

Crabbes's website is back to "total disability.".

Being teased by hackers may be a small "Waterloo" in his career. The stubborn little brother had to face the battle to change the commander and find another superior. Unexpectedly, someone volunteered to find him. This is Google, which claims that 25% of the world's traffic goes through its own server. Although Google offered to take the initiative, the security researchers at the grass-roots level were under great pressure when they received the task, and they immediately divided into "the main harmony faction" and "the main war faction". The meaning of the main harmony faction is to say, why do they fight against such fierce enemies for the sake of a small website protection? The main battle school means that life is a battle, and what should come will come, and it is useless to escape.

In the end, Google is still trying to get Krebs to connect the website to the defense system. After the complicated procedure of making crabs want to kill people, Google's defense finally went online two days later...

Half a year later, Google's security researchers mentioned the tragic defense in their speech. They didn't disclose specific data details. However, in terms of results, they paid a huge price and finally defended the attack.

But the point is: how can a proud person like crabs stand such bullying? Immediately after the attack, he announced the start of an independent investigation. At that time, his evidence was limited, and with the deepening of research, he became more and more suspicious that the hackers who attacked him and the eastern part of the United States cut off the Internet a month later were the same group of people...

(3) Elliott, mysterious FBI agent

Two groups of people immediately began to investigate after the great disconnection in the eastern United States.

One group is the one-man crabbes, who vowed to revenge.

The other group is the FBI, the "national team" that often appears in American blockbusters, led by agent Elliott Peterson, a rare "cyber agent" who tracks major cyber criminal gangs all the year round.

Elliott is an all-around agent like James Bond, although he doesn't look like bond is trying to lick the screen. The point is that this man is also a very legendary man. After graduation, he joined the army, went to Iraq several times, joined the FBI after returning home, and became one of the earliest cyber crime investigators of the FBI.

Elliott is very low-key. He first appeared in the public view at the black hat hacking conference in 2015. The hacker conference held in Las Vegas every year is called the "Oscar" of the hacker community. The person who can get on the platform is definitely the idol of the world's network security industry. Elliott came on stage as a sullen agent of the FBI, and other people talked a lot about him.

This is Elliott Perterson, who spoke at the black hat conference in 2015. In the lower right corner is his list of organizations providing help.

Eliot's speech in 2015 was about tracking a botnet called "gameover Zeus". He, together with security researchers, security companies and law enforcement agencies in the United States and the United States, through careful investigation and technical counterattack, finally determined that the actual controller behind the botnet was a Russian, and directly and forcefully took over the botnet by using robust technical confrontation, so that it would no longer harm the world.

Of course, except for Elliott's general background, people knew nothing about the agent's whereabouts. (actually, there's a little secret here, that is, Elliott once had a bad fight with China. For the sake of social harmony, 2000 words are omitted here.)

Elliott has been paying attention to the DDoS related cases, and this case has also taken over strongly. He held his breath: the whole eastern part of the United States shrouded in cyber terrorist attacks for a whole day, resulting in billions of dollars of losses. The suspect is not only not under quality control, but also has no clue as to whether he is a man or a woman or a Chinese. Elliott knew that if he could not solve the problem himself, the criminal would probably be at large forever...

Time passed by. It was more than a month since the incident happened. Eliot was missing. No one knew how he was investigating. Crabbes, who previously announced an independent investigation, did not seem to have come to a conclusion.

(4) Mirai comes to the surface with shame Japanese anime


Let's look back to October 21, 2017. The day of the great disconnection in the United States.

This attack shocked China on the other side of the ocean, and even Baidu Index reached an unprecedented peak.

Although even the sweeper is talking about the disconnection, there are few people in the world who are really capable of contributing to the investigation.

FBI agent Eliot, who has the right to investigate, can ask organizations and individuals in the United States to cooperate in the investigation;

Other commercial companies, obviously, can't use coercive means. If they want to contribute, they can only use the open information on the network for analysis and traceability. But their strengths are mature security teams and proven analytical skills.

Some independent investigators, like commercial companies, can only access public data and have limited resources.

Therefore, people around the world who want to solve the case quietly form a "coalition" to provide information for the FBI's investigation in the form of external reports.

Technically, there are two steps to find the criminal: 1. Find the terrible virus behind the botnet. 2. By analyzing the virus code, try to trace to the author behind it.

In order to find the virus behind first, each company shows its own magic power. In less than a day, they analyzed the data and found that the originator of the botnet was Mirai, a virus that just became famous a month ago.

Before the big break attack, on September 30, there was a "big news" in the hacker world. A virus source code named Mirai was completely published on the Internet by the mysterious account of the self claimed author. The virus is extremely sophisticated and can be used to control cameras and routers on the Internet on a large scale. In this way, as long as there are some code base "script boy" can transform virus varieties through this original document, and then build their own Botnet, and direct new attacks. It's like a zombie virus escaping the lab, it's a terrible runaway.

So the question is, why should the author publish his virus source code?

According to common sense, sharing the source code of the virus will only bring more competitors to the authors of the virus, which is equivalent to that an enterprise has worked hard to develop a mobile phone, but published the drawings on the Internet without reservation. If it is the author himself who publishes the source code, what is his motivation? If the publisher is not the real author, how does he get the source code?

These mysteries will not be solved until the end. At that time, people only found some interesting facts from two names.

1) Mirai

The reason why this virus is called Mirai is that in the virus code, the author quietly embeds the word "Mirai", which has no practical meaning, so obviously this is the name of the virus. People immediately found that Mirai is a Japanese word, and there happens to be a popular animation "Mirai Nikki" in Japan, which is translated into Chinese as "Diary of the future". The core of this cartoon story is that a lonely junior high school student is involved in a game of life and death because he suddenly has the ability to predict the future.

It seems that on the day of its birth, the virus has been described by the author as a dark future. The name seems to imply that the whole incident is a crime of high intelligence, which makes people sweat.


Another "coincidence" is that the mysterious person who shares Mirai code to the Internet uses the ID "Anna senpai".

(this is the screenshot of the original post of the virus code uploaded by the author. Pay attention to the head portrait...)

Many otaku men can see at a glance that the name is "elder Anna". This is a female student union president in Japanese anime "boring world without pornographic jokes". She was pure at first, then lecherous, and became the "flagman" against Utopia. (in order to write this article, I read a special episode "boring world without pornographic jokes". Forgive me for not being able to fully show the essence of the duality in one sentence...) The person who can watch this cartoon is probably a heavy middle-aged and second male.

(I'd like to take a picture of Anna's whole body. I hope it doesn't interrupt your reading.)

There is nothing else.

(5) "Zombie" mutation, fall of Germany

Mirai's murder is still unsolved, but the plot never waits. Just a month later, a new panic has arrived - a variety of the virus is in full bloom.

On November 28, 2016, the Telekom router of Deutsche Telekom was invaded on a large scale, and 20 million routers in Germany were invaded. In the process of invasion, 900000 routers directly collapsed in the process of infection. The attack spread to almost all Germans and caused great panic.

(Germany is affected by the virus. It feels like Germany is in its own year...)

Security researchers around the world immediately turned their attention, and they suspected that this was a new wave of attacks by Mirai's authors. However, a small problem was pointed out in a report given a day later by Chinese company 360. That is, the virus maker of this attack seems to adopt a new infection method, which can allow security researchers to track the controller's master server through data analysis.

Unexpectedly, 360 received a new version of the virus only four hours after the report was sent out. The code in the new version not only "upgraded", but also added a special expression: "I love you 360".

(this is a screenshot of the virus code. Gong Yiming, President of 360 Network Security Research Institute, was launched on his Weibo @ Gong Yiming CN)

It's not so much the virus writer's provocation of the security company as his desperate curse. Just over a month later, the author, codenamed best buy, was arrested in the UK and extradited to Germany for trial. Unfortunately, he proved not to be the original author of Mirai. As you can see, he just used the original author's open source code on the Internet to transform and produce a new variety of virus. But he has undoubtedly become the first person arrested for the Mirai virus, which has greatly encouraged safe communities around the world.

(this is the author of the mutant virus. His real name is Daniel Kaye. He was 29 years old.)

According to 360's report, bestbuy is also likely to be linked to an attack on Liberian telecom operators. Sure enough, bestbuy admitted in court that it had collected 10000 dollars to help the owner attack the Liberian telecom operator. The consequence of the incident was that the whole national network was paralyzed.

(screenshot of the attack on Liberia)

In September 2017, the author was sentenced to 18 months' probation in the bestbuy case. This is a fairly light sentence, which means that as long as he doesn't continue to do evil, he doesn't really have to be in prison. What makes people laugh and cry is that he just flew back to England and was arrested by the British police as soon as possible. Because "the virus does not grow eyes", he attacked the virus of Deutsche Telekom, which once spread to the UK and Northern Ireland through the Internet, causing a lot of losses. This is an episode.

At the same time, countless new Mirai variants have emerged around the world, spreading like zombies. The space here is limited, so it is difficult to present one by one.

(6) True face, "Anna Xuejie" came to the surface

Agent Elliott had more difficulty than he thought.

The first thing to do is fix the evidence. In order to prove the simple fact that "hackers used viruses to invade cameras", he applied to the court in his hometown of Alaska, and then went door-to-door to find the infected cameras, asking them "did they authorize others to control their own cameras?"

The second thing to do is to go back to the source. It's not easy to find the hacker behind Mirai. The anti reconnaissance ability of the mysterious hacker is very strong. Its control instructions jump many times in many servers around the world. It's like a suspect mixing in the flow of people in the railway station. He will "lose" if he is not careful.

(Botnet, the master signal jumps back and forth between multiple servers, which is very difficult to trace.)

One day in December, Elliott found a server in France during his investigation. Although the server was suspected, it was nothing special. But in a flash, Elliott suddenly had an amazing discovery: this server stored countless Japanese anime. In his mind, the image of Mirai's homeboy flashed, and for a moment, he felt that this server was what he had been searching for.

In January 2017, crabs, an investigative journalist, finally published an article in which he strongly suspected that two young college graduates were behind Mirai. These are Paras JHA and Josiah white. Crabs counted the evidence that doubted them. Although there was no real hammer, the public seemed to think crabs had come to the front of the FBI alone. They don't know. The pictures of these two people have been hung in Elliott's FBI office for a long time...

It was not until December 13, 2017 that the US Department of justice suddenly released the file that people realized that the original case had been solved.

The U.S. Department of justice is secretive about the specific handling process. They gave only the names of three criminals: Paras JHA, Josiah white and Dalton Norman, and their crimes. The documents show that the three men were charged by the FBI in May 2017. Yes, the three men, two of whom were singled out by crabbes, are really brave.

(according to the public information, this should be the real body of Paras JHA. According to the data, he graduated from Rutgers school with only 295 followers. This person is "Anna Xuejie" on the Internet. How about it? Surprise or surprise...)

According to Krebs, all three graduated from Rutgers campus university, a well-known computer major in the United States. They have a company specializing in "network security", JHA as CEO. They love their alma mater very much, so they decided to use the botnet in their hands to attack the alma mater. Therefore, in the first half of the year, Rutgers campus has been attacked by the Internet, so that it construction costs have to be increased finally, even tuition fees have increased. The end of the matter is that JHA's company sold its alma mater a set of anti cyber attack protection system, and the world is peaceful...

In Mirai's production, the three otaku men who love Japanese animation work as follows:

Paras JHA: wrote the first source code and was responsible for building "infrastructure". He is the mysterious "Anna senpai".

Josiah white: wrote a smart scanner that can send out thousands of syn packets at a time, scanning the network thousands of times faster than before, which is why the virus can quickly infect millions of devices.

Dalton Norman: four high-risk vulnerabilities (0-day) related to cameras and routers have been found, and these devices can be accessed as if there is no one.

Using Mirai virus, they quickly harvested millions of devices around the world, which were ordered by them to provide various kinds of dark services.

(media captured Paras JHA and his attorney walking out of court)

The services they provide include: using IP to help websites browse around the world; collecting black money to help gold owners launch DDoS attacks; using the controlled botnet bitcoin to mine; helping black industry to brush single and collect wool, etc. All in all, these services helped them make 100 bitcoins. (they didn't make much money, but according to the rise of bitcoin price, the amount of criminal income of these people can be described as huge...)

The initial goal of building a botnet is very simple. They want to attack the server of the game "minecraft" so that they can play the game and hang it...

(this is the game "my world", minecraft)

Unexpectedly, they knew nothing about the weapons in their hands. Li Fengpei specially found a picture: a picture of a child with a rocket in his hand, to compare these three young people. One of their attacks resulted in a major disconnection of the east coast of the United States. It was as if they had only wanted to fire a few shots, but somehow touched the nuclear weapons.

In the trial, Paras JHA finally solved a mystery. The reason why he disguised himself as "Anna senpai" to publish the code online was because he wanted to shirk the responsibility. Once he is caught in the future, he can argue that his attack program is downloaded, not the originator of the virus. However, his plan was obviously defeated, and the FBI agents of Niu x apparently found stronger evidence to let them finally admit that they are the author.

However, there is still an unsolved mystery in this story, that is, JHA did not admit that they did the attack on krabs, although according to the evidence, the coincidence ratio of the two attacks reached more than 70%.

(7) Safe community, silent hero behind the scenes

The criminal finally fell into law, but the whole incident was not as simple as you and I thought.

In December 2017, after the disclosure of the U.S. Department of justice file, the FBI paid special thanks to several companies, including 360, at & T, dyn (the victim finally revenged), paterva, paypal and shadowserver, who were crucial to the investigation of this case.

360 as the farthest Chinese company from the United States, actually ranked first... Even the leader of the red coat, Zhou Hongyi, forwarded the screenshot for a while.

So, does 360 provide the FBI with any great evidence to solve the case?

I asked Li Fengpei specifically. He told me that 360 didn't do anything remarkable in the process of solving this cyber terrorist attack. The only job is to study and report constantly. According to the blog of 360 network security laboratory, since the outbreak of Mirai, they constantly analyze the clues of Mirai virus activity from the data. From the U.S. outage to the German Telecom outage, to the new virus varieties, and even predicted the scale of Botnet two days before the attack.

However, Li said that it is the joint efforts of the security communities around the world that really let the FBI catch the criminals. As for the order of the list, it is obvious that it is arranged according to the order of numbers to letters, with 360 ranking first. The main reason is that the names are well-known...

Li Fengpei told me that in terms of pure business, in fact, this matter is "effortless and thankless". This kind of data analysis will not bring profits. Instead, each report needs a team of more than ten people to spend dozens of hours to do research. At the same time, it needs a lot of real money and silver investment to obtain the first-hand precious data generated on the global Internet. If from the secular perspective, so many efforts, the final is only a thank you, nothing else. It's not worth it.

However, he interpreted his motivation for me from another perspective.

There are many secret safe communities around the world. On the surface, what people see is the FBI's response and the help of major companies. In fact, the security researchers in these organizations are all in a common security community. For the sake of security, they do not disclose their "organizational relationship" to the outside world, but silently unite to contribute to the security and bottom line of the world.

According to reliable sources, FBI agent Elliott is one of the members of the organization. He is seemingly helpless, but in fact, he is constantly supported by the world's top security figures.

It sounds mysterious.

On the other hand, all companies and individuals who contribute to this matter are actually in this huge security community. Without the cooperation of major security companies in Europe, bestbuy, an attacker of Deutsche Telekom, would not have been caught so quickly; similarly, without dyn, paterva, PayPal, Deutsche Telekom, French server company and 360 And so security communities around the world are making unrequited contributions, and criminals are most likely still at large.

But if criminals continue to go unpunished, will not all of us who have watched become the next victims?

(8) End

Hacking doesn't mean the demise of Mirai.

Every piece of Mirai's code has been published on the network by the author. Before the global cameras and routers are all updated, any hacker may come back with a variety of viruses. Mirai has become immortal.

(this is the global spread of Mirai and mutants.)

As can be seen from the report released by 360 network security laboratory, just two weeks ago on December 5, they just detected a new variant of Mirai spreading in a new way, and no one can accurately predict how much loss this new variant will cause.

Hundreds of millions of Mirai viruses in the corner have made our world different from before. The reason why you and I seem to have a peaceful life is that there are countless people who love safety and are more powerful than viruses all over the world, who are silent.

As a result, not only does the FBI need to thank the unknown security community, but everyone who lives a carefree life on the Internet owes them a thank-you.

Introduce yourself again. My name is Shizhong. I'm a technology journalist who loves stories. My daily routine is to chat with all kinds of gods. If you want to be friends with me, you can add my wechat.

If you don't want to lose, you can also focus on my official account of the media.