Given the increasing amount of money on the line, a few owners decided to try and take out their rivals. If they could direct enough fake activity at another server – what’s known as a ‘distributed denial of service’ (DDoS) attack – it would slow down the connection for anyone playing. This would frustrate users into looking for an alternative server, ideally the one owned by the people who organised the attack. An online arms market emerged, with mercenaries selling increasingly sophisticated DDoS attacks, and in many cases also selling protection against them.
This was where Mirai came in. The botnet was so powerful it would be able to outcompete any rivals attempting to do the same thing. But Mirai didn’t remain in the Minecraft world for long. On 30 September 2016, a few weeks before the Dyn attack, Jha and his friends published the source code behind Mirai on an internet forum. This is a common tactic used by hackers: if code is publicly available, it’s harder for authorities to pin down its creators. Someone else – it’s not clear who – then downloaded the trio’s code and used it to target Dyn with a DDoS attack.
Mirai’s original creators – who were based in New Jersey, Pittsburgh and New Orleans – were eventually caught after the FBI seized infected devices and painstakingly followed the chain of transmission back to its source. In December 2017, the three pleaded guilty to developing the botnet. As part of their sentence, they agreed to work with the FBI to prevent other similar attacks in the future. A New Jersey court also ordered Jha to pay $8.6 million in restitution.[12]
The Mirai botnet managed to bring the internet to a halt by targeting the Dyn web address directory, but on other occasions, web address systems have helped someone stop an attack. As the WannaCry outbreak was growing in May 2017, British cybersecurity researcher Marcus Hutchins got hold of the worm’s underlying code. It contained a lengthy gibberish web address – iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – that WannaCry was apparently trying to access. Hutchins noticed the domain wasn’t registered, so bought it for $10.69. In doing so, he inadvertently triggered a ‘kill switch’ that ended the attack. ‘I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,’ he later tweeted.[13] ‘So I can only add “accidentally stopped an international cyber attack” to my résumé.’
One of the reasons Mirai and WannaCry spread so widely is that the worms were very efficient at finding vulnerable machines. In outbreak terms, modern malware can create a lot of opportunities for transmission, far more than their predecessors were capable of. In 2002, computer scientist Stuart Staniford and his colleagues wrote a paper titled ‘How to 0wn the Internet in Your Spare Time’[14] (in hacker culture, ‘0wn’ means ‘control completely’). The team showed that the ‘Code Red’ worm, which had spread through computers the previous year, had actually been fairly slow. On average, each infected server had only infected 1.8 other machines per hour. This was still much faster than measles, one of the most contagious human infections: in a susceptible population, a person who has measles will infect 0.1 others per hour on average.[15] But it was still slow enough to mean that, like a human outbreak, Code Red took a while to really take off.
Staniford and his co-authors suggested that, with a more streamlined, efficient worm, it would be possible to get a much faster outbreak. Borrowing from Andy Warhol’s famous ‘fifteen minutes of fame’ quote, they called this hypothetical creation a ‘Warhol worm’, because it would be able to reach most of its targets within this time. However, the idea didn’t stay hypothetical for long. The following year, the world’s first Warhol worm surfaced when a piece of malware called ‘Slammer’ infected over 75,000 machines.[16] Whereas the Code Red outbreak had initially doubled in size every 37 minutes, Slammer doubled every 8.5 seconds.
Slammer had spread quickly at first, but it soon burned itself out as it became harder to find susceptible machines. The eventual damage was also limited. Although the sheer volume of Slammer infections slowed down many servers, the worm wasn’t designed to harm the machines it infected. It’s another example of how malware can come with a range of symptoms, just like real-life infections. Some worms are near invisible or display poems; others hold machines to ransom or launch DDoS attacks.
As shown by the Minecraft server attacks, there can be an active market for the most powerful worms. Such malware is commonly sold in hidden online marketplaces, like the ‘dark net’ markets that operate outside the familiar, visible websites we can access with regular search engines. When security firm Kaspersky Lab researched options available in these markets, they found people offering to arrange a five-minute DDoS attack for as little as $5, with an all-day attack costing around $400. Kaspersky calculated that organising a botnet of around 1,000 computers would cost about $7 per hour. Sellers charge an average of $25 for attacks of this length, generating a healthy profit margin.[17] The year of the WannaCry attack, the dark net market for ransomware was estimated to be worth millions of dollars, with some vendors making six-figure salaries (tax-free, of course).[18]
Despite the popularity of malware with criminal groups, it’s suspected that some of the most advanced examples originally evolved from government projects. When WannaCry infected susceptible computers, it did so by exploiting a so-called ‘zero-day’ loophole, which is when software has a vulnerability that isn’t publicly known. The loophole behind WannaCry was allegedly identified by the
