How To Hide Browsing History – Complete Guide

How To Hide Browsing History – Complete Guide

How To Hide Browsing History – Complete Guide


People today have many concerns regarding their browsing history and the visibility of their data to another person. There could be varying reasons for that. Many of them want to get rid of intrusive ads, and some just don’t want their searches to be seen by others using the same Internet connection.

Also, the enforcement of controversial broadband rules by Trump’s administration is a great concern, so much so that it’s provoking users to find a way to hide their browsing history.

However, for multiple reasons, most people couldn’t find an appropriate and efficient solution. Through this article, we hope to tell you about various security measures that can help you wipe your browsing history and prevent it from being exposed.


While using a computer at a public place or the one that is shared by others, your browsing history is automatically stored. To avoid such a situation, you must activate the browser’s privacy mode before performing any activity that allows you to surf the internet. Doing so blocks the third-party cookies tracking your activity between different sites. Also, the first party cookies that the site keeps as proof of your presence are also wiped out when you leave the site, thereby preventing other people from seeing clues of your presence.

All you have to do is select private or incognito mode from the browser’s toolbar.


The removal of third-party cookies is a way to prevent your browsing history from being tracked, but something known as super cookies is a greater threat. Sites that run Flash are generally those with some kind of video stuff, and they do keep the Flash cookies (or super cookies). These could retain much larger amounts of data and could reproduce those deleted third-party cookies.

Super cookies record your path through which you move from one browser to another. The way to remove super cookies and other cookies could be CCleaner, which you have to download. If you don’t want to do that, be vigilant, as you could be signed-in frequently many times by a site using third-party cookies.


Oftentimes the browser locates your presence at a certain place and transfers that information to the site you are visiting. They usually keep this data to give you more targeted and personalized search results. Moreover, it could also be used to enhance the ads displayed by advertisers.

To avoid such a situation, you could refuse the location request given by the browser when you visit a site. However, to remove such requests permanently, you could follow these steps;

  • Chrome – Go to Preferences > Settings > Advanced > Content settings, and choose the option of Disallow or Ask for the request of location whenever you visit a site
  • Safari – Preferences > Privacy, and select ‘Disable Location Services’ or ‘Ask’
  • Firefox – Type “about:config” in the URL bar and after that ‘geo.enabled’. To avoid Firefox’s repeated requests for sending your location to any website you visit, double-click to disable location entirely
  • Microsoft Edge – To turn off location requests, you will have to do it from the main computer settings. Then go to Privacy and choose location option. Now turn off Microsoft Edge


Search engines like Google have heavy traffic on them for which they have to respond. Also, the result given by Google differs from person to person depending upon the user’s data. In some ways, it is useful for us as we get the advanced results according to our needs. However, it keeps us away from certain other web pages that could contain useful information regarding the topic.

To restrict Google from doing this, access Search Tools > Results >Verbatim. However, a more efficient way to avoid your activity from being tracked is just to move to a private search engine, such as DuckDuckGo. The ads are also been restricted while browsing privately.


Google provides you with many of its services, including Google Calendar, Gmail, Chrome and others. With all these one-click browsing folders, we could easily get the information or your desired content at a very fast speed. But it’s also negative for us, as Google could track your activities in many ways through your emails, searching activities, etc. that give it an opportunity to present personalize results.

Also, this data of yours could help them display interrupting advertisements. You could avoid this problem by getting out of “shared endorsement” in Ads and by turning off Ad Personalization. This will not prevent ads from showing up, but it will restrict them to ones that are not personalized according to your browsing history.

Now, download Google Analytic Browser Add-on to stop Google tracking your activity and creating an ad profile.


For social sites, it’s really easy to track our interests, as we have immense information and personal interest activities on such sites like Facebook, Twitter, LinkedIn and others. Also, these sites follow our activities even after we have logged out of our accounts. They do it through the sharing or like button we click on.

To avoid personalized ads on social networking sites, you could follow these steps:

  • For Facebook – Go to Facebook settings > Adverts to control whether ads are targeted based on your clicks in and out of Facebook
  • For Twitter – Access settings > Security and Privacy. Then uncheck the box for “Tailor Ads”
  • For LinkedIn – Go to Privacy and Settings > Accounts > Managing Advertising Preferences

This process will stop personalized ads from appearing, but your activity will still be tracked for security reasons.


Almost every internet site tracks you by different methods, including cookies. These are present on distinctive objects on the web page, such as ads, comment section and sponsored links. Advertisers belonging to an ad network place cookies on a site to get data about when someone visits it.

These advertisers extract your interests and preferences through this data and share it with members of that ad network, so as to better advertise their product.

To stop such activities, you could change it from browser privacy settings and from there turn on Do Not Track option. You could also opt-out of tracking at the Network Advertising Initiative and Digital Advertising Alliance.

You would still observe ads on web pages, yet they are not personalized.


You can’t confirm that your activity is being tracked or not after you have opted out. This is because many sites do not cater such requests. However, downloading browser plugins for the anti-tracking purpose could block all sites from tracking.

Plugins, such as Privacy Badger, Ghostery, or Disconnect, stop all intrusive ads by blocking cookies and prevent advertisers to build your profile based on your internet activities.


Your browsing activity could also be tracked through your IP address. All the above options are really helpful at keeping you away from marketers by blocking tracking cookies.

For further protection, a VPN is an excellent anonymity tool that masks your real IP address and assigns you a new IP. This protects your location and browsing information from being exposed as your real identity is not on display.

It would also be helpful in unblocking sites that are restricted and banned in some countries.


A private browser with plugins, proxies, and setting changes could give you an excellent and anonymous browsing experience. Private browsers protect you from being tracked and bring all the above-mentioned features. You could enable proxy by turning it on from the toolbar in a private browser.

Epic Privacy Browser, for instance, is based on Chrome but with specialized settings that could stop trackers following your activities. You will still see ads but without being tracked, and your homepage will show the information about how many trackers have tried to observe your activity.


The Tor browser distributes your internet traffic through many nodes(servers). Therefore, your presence at a certain website will only show the IP address of the existing node.

This is why using Tor could make it really hard for snooping eyes to track your activity. However, while using Tor, you could face speed issues.


Most of the time, we are not aware of the fact that we are being tracked by websites we visit. Also, internet users are not familiar with the cons of internet movement tracking that in some ways is beneficial. Although it requires efficiency and effort to make your browsing history anonymous, once you are done with these privacy settings, you can enjoy secure browsing without the fear of being noticed.


Peter ButtlerAbout the Author: Peter Buttler is a professional security expert and lecturer. He serves as a digital content editor for different security organizations. While writing he likes to emphasize on recent security trends and some other technology stuff. You can follow him on Twitter.

Posted in Blogs, DataLoss, Security | Tagged , , , , | Leave a comment

Windows 10 Tip: Turn Off File Explorer Advertising

Windows 10 Tip: Turn Off File Explorer Advertising

Posted on March 8, 2017 by Paul Thurrott

Windows 10 Tip: Turn Off File Explorer Advertising

While the Creators Update will include a number of important improvements to Windows 10, the escalation of File Explorer advertising isn’t one of them. Here’s how to turn it off.

Note: This tip is derived from the Windows 10 Field Guide, which is now being updated for the Windows 10 Creators Update. But this tip applies to the Anniversary Update as well.

I’ve led the charge against Microsoft’s advertising efforts in Windows, noting back in 2012 that the software giant cheapened Windows 8 with ads. Despite my warnings about a slippery slope—Microsoft would only escalate its in-box advertising down the road, I cautioned—Windows 10, sadly, was even worse. And now the Creators Update is coming, bringing with it yet another escalation of in-product advertising. Most notably, and most disturbingly, in File Explorer.

(Ad-like notifications for OneDrive do appear in File Explorer in the Anniversary Update, but people running the Creators Update are now seeing actual advertising.)

To be clear, File Explorer is the Windows 10 shell, a core part of the operating system. So like the mobile apps that first bore advertising back in Windows 8, yes, it is very much a “part of” Windows, or “in” Windows. It is Windows.

This is a sad state of affairs. Fortunately, you can turn off this terrible intrusion. Here’s how:

Open File Explorer and then navigate to View > Options > Change folder and search options.

In the Folder Options window that appears, navigate to the View tab.

In the Advanced Settings list, scroll down until you see the option titled “Show sync provider notifications.”

Uncheck that option and then select OK to close the window.

Two additional points.

First, in comparing the Advanced Settings list in the Folder Options window between the Anniversary and Creators Updates, I see that the “Show sync provider notifications” option does appear in Windows 10 today. So you may want to proactively disable it now. (Interesting side-note: There are no new options in this list in the Creators Update; it’s identical to the current release. I assume this wasn’t all the shell team worked on over the past year.)

Second, the name of that option is interesting, isn’t it? It suggests that Microsoft will only show “notifications” here related to “sync providers.” Obviously, Microsoft only makes one such sync provider, OneDrive, though the Office 365 ad is obviously related since it provides 1 TB of additional storage. Would Microsoft ever allow third parties like Box or Dropbox to advertise here too? That’s the slippery slope I worry about. I wouldn’t be surprised to see that in the next major release of Windows 10, but I won’t get outraged about that unless it happens.


Posted in Blogs, Windows 10 | Tagged , , | Leave a comment

18 free ways to download any video off the internet

By: Dan Price February 22, 2017


Video is the future. Periscope has taken the world by storm, and YouTube has launched a subscription service. Even Spotify and Facebook are getting in on the act.

We’re not here to ask why you’d want to download any of that video content – the reasons are too numerous. We just want to show you how to do it.

So, without further ado, here are 18 free ways to download (almost) any video off the internet. Enjoy!

App-Specific Tools

Let’s begin with some service-specific web apps that specialize in a single website before moving onto generic video downloaders later in the article.

1. YouTubeInMP4

We’ll kick things off with YouTubeInMP4. Just paste in your link and click Download in MP4. On the next screen, you can choose whether to download in HD or standard resolution.

2. SaveFrom

SaveFrom is another YouTube downloader, but one with a difference. If you are watching something online and you want save it, just enter “ss” before “YouTube” in the URL.

For example:

Would become:

3. FastestTube

The final YouTube downloader on the list is arguably the simplest. FastestTube is a browser extension that’ll add a physical download button to the YouTube website. You can find it in the bottom right-hand corner of a video.5 Free YouTube Downloaders & Converters Compared: Which One Is Right For You? 5 Free YouTube Downloaders & Converters Compared: Which One Is Right For You?Two years ago, I told you about 5 easy ways to download and convert online videos. Recently, we also told you about ways to download YouTube videos to your Mac, and some ways you can…READ MORE

It works on Chrome, Firefox, Safari, Opera, and Internet Explorer.

4. DownloadTwitterVideo

Sticking with the premise of site-specific tools, DownloadTwitterVideo lets you pull any video off the world’s favorite transient social network.

Paste in the URL of the Tweet which contains the video you want, then select whether you want to save it as an MP3, MP4, or MP4 HD.

5. Vine Video Download

Yes, Vine is no longer accepting new entries. But the 39 million uploaded videos are still available to view on the Vine website.Vine Is Dead but You Can Still Watch Old Videos Vine Is Dead but You Can Still Watch Old VideosEven though Twitter announced the death of Vine, the best of Vine still lives on in the Vine Archive.READ MORE

There are countless hours of amazing videos, ranging from the thought-provoking to the hilarious. This web app lets you save it all onto your hard drive for posterity.

6. Instagram Downloader

Instagram forged its reputation as a photo-sharing service, but with the introduction of Instagram Stories, it’s quickly positioning itself as a Vine replacement.How to Use Instagram Stories Effectively: Basics, Tips, and Tricks How to Use Instagram Stories Effectively: Basics, Tips, and TricksInstagram Stories is the photo-sharing giant’s take on Snapchat. The purpose is to add a new layer of fun to your images and videos. Here’s everything you need to know.READ MORE

7. FB Down

FB Down is a tool for downloading video off Facebook. It also comes with a Chrome extension, meaning you don’t need to leave the social network’s homepage if you find something you want to save.

8. FB Down Private

FB Down Private is a subsection of FB Down, but we feel it deserves its own mention. The app lets you grab videos from accounts that users have set to private, even if you can’t see the video on Facebook natively.

To download a private video, go to the video’s page on Facebook, press CTRL + U to view the source code, then paste the code into the downloader.

Generic Video Downloaders [Web Apps]

As you progress through this portion of the list, you’ll notice a commonly recurring theme: most of the video downloaders work with the same set of sites.

9. KeepVid

KeepVid supports 28 sites. It covers educational resources like Lynda, news outlets like ABC and NBC, and popular amusement sites such as Ebaumsworld and Break.

Once you’ve pasted your link, you can choose to save your downloaded file in more than 150 different formats.

10. VideoGrabby

A simple-to-use web app that supports the majority of the most popular video sites. Type the link and hit Go.

11. YooDownload

YooDownload is another competitor to the likes of KeepVid and VideoGrabby. It works with YouTube, Vimeo, Facebook, Twitter, Instagram,, and SoundCloud.

12. ClipConverter

ClipConverter works with almost any website you can think of (subscription streaming services notably excluded). It’ll even grab videos off the world’s most thriving social network, MySpace!

The developers offer a browser add-on for Chrome, Firefox, and Safari.

13. OnlineVideoConverter

Because so many of these web apps are so similar, I’m only going to introduce you to one more.

OnlineVideoConverter works with YouTube, LiveLeak, TeacherTube, VK, College Humor, and more.

Generic Video Downloaders [Desktop Apps]

Sometimes it’s better to use a desktop app than a web app. They can offer features which web apps cannot replicate.

14. VLC Media Player

Clearly, VLC does a lot more than merely downloading videos. The beauty of using VLC is it’s a program a lot of users will already have installed on their machines, and it negates the need for third-party apps.

A step-by-step guide is beyond the scope of this article, but you can find more information in my piece about six amazing VLC features.6 Awesome VLC Features You May Not Know About 6 Awesome VLC Features You May Not Know AboutThere’s a reason VLC is called the Swiss Army Knife of media players. This article identifies six awesome VLC features and explains how to use them.READ MORE

15. Video Grabber

Video Grabber has three key features; downloading video, converting video, and recording your screen. Even though it initially looks like a web app, it is actually a desktop program.

The screen recording feature can be really useful in certain situations. More on that shortly.


FLTVO has a web app and desktop version. The desktop version lets you queue videos for download from multiple sources and automatically download new videos as they become available.

Screen Recorders

We’re closing out our list with a pair of screen recorders. These tools let you record whatever is playing on your computer, making them a good solution when you have exhausted all other possibilities.

17. Open Broadcaster Software

OBS studio is unquestionably the best free screen recorder app on the web. It’s available on Windows, Mac, and Linux and includes a powerful editing tool.

18. CamStudio

CamStudio doesn’t look as slick as OBS and it doesn’t have as many features, but it’s simpler to use. Thus, it’s perfect for someone who just wants to click Record and forget about it.

We covered these two tools in much more detail when we discussed the best three screencasting tools for Windows.Show, Don’t Tell! 3 Best Free Screencasting Tools for Windows Show, Don’t Tell! 3 Best Free Screencasting Tools for WindowsThey say a picture is worth a thousand words, so a video must be priceless – and there are times when a video is more convenient and effective than simple words. A screencast, also known…READ MORE

A Word of Warning

Remember, all the tools listed in this article are for creating recordings of free online videos for personal use. They should not be used to save and distribute copyrighted material; doing so could get you in serious trouble with the law. You have been warned!

Which sites and apps do you use when you want to save a video to your hard drive? Have you used any of the tools we’ve discussed here? Which would you recommend to your fellow MakeUseOf readers? Please leave your tips and suggestions in the comments below.

Image Credit: Den Rise via

Originally written by Aseem Kishore on October 2, 2007

Posted in Blogs, Education | Tagged , , , | Leave a comment

Who is Anna-Senpai, the Mirai Worm Author?

// Krebs on Security

Who is Anna-Senpai, the Mirai Worm Author?

On September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks. Roughly a week after that assault, the individual(s) who launched that attack — using the name “Anna Senpai” — released the source code for Mirai, spawning dozens of copycat attack armies online.

After months of digging, KrebsOnSecurity is now confident to have uncovered Anna Senpai’s real-life identity, and the identity of at least one co-conspirator who helped to write and modify the malware.

Mirai co-author Anna-Senpai leaked the source code for Mirai on Sept. 30, 2016.

Before we go further, a few disclosures are probably in order. First, this is easily the longest story I’ve ever written on this blog. It’s lengthy because I wanted to walk readers through my process of discovery, which has taken months to unravel. The details help in understanding the financial motivations behind Mirai and the botnet wars that preceded it. Also, I realize there are a great many names to keep track of as you read this post, so I’ve included a glossary.

The story you’re reading now is the result of hundreds of hours of research.  At times, I was desperately seeking the missing link between seemingly unrelated people and events; sometimes I was inundated with huge amounts of information — much of it intentionally false or misleading — and left to search for kernels of truth hidden among the dross.  If you’ve ever wondered why it seems that so few Internet criminals are brought to justice, I can tell you that the sheer amount of persistence and investigative resources required to piece together who’s done what to whom (and why) in the online era is tremendous.

As noted in previous KrebsOnSecurity articles, botnets like Mirai are used to knock individuals, businesses, governmental agencies, and non-profits offline on a daily basis. These so-called “distributed denial-of-service (DDoS) attacks are digital sieges in which an attacker causes thousands of hacked systems to hit a target with so much junk traffic that it falls over and remains unreachable by legitimate visitors. While DDoS attacks typically target a single Web site or Internet host, they often result in widespread collateral Internet disruption.

A great deal of DDoS activity on the Internet originates from so-called ‘booter/stresser’ services, which are essentially DDoS-for-hire services which allow even unsophisticated users to launch high-impact attacks.  And as we will see, the incessant competition for profits in the blatantly illegal DDoS-for-hire industry can lead those involved down some very strange paths, indeed.


The first clues to Anna Senpai’s identity didn’t become clear until I understood that Mirai was just the latest incarnation of an IoT botnet family that has been in development and relatively broad use for nearly three years.

Earlier this summer, my site was hit with several huge attacks from a collection of hacked IoT systems compromised by a family of botnet code that served as a precursor to Mirai. The malware went by several names, including “Bashlite,” “Gafgyt,” “Qbot,” “Remaiten,” and “Torlus.”

All of these related IoT botnet varieties infect new systems in a fashion similar to other well-known Internet worms — propagating from one infected host to another. And like those earlier Internet worms, sometimes the Internet scanning these systems perform to identify other candidates for inclusion into the botnet is so aggressive that it constitutes an unintended DDoS on the very home routers, Web cameras and DVRs that the bot code is trying to subvert and recruit into the botnet. This kind of self-defeating behavior will be familiar to those who recall the original Morris Worm, NIMDA, CODE RED, Welchia, Blaster and SQL Slammer disruptions of yesteryear.

Infected IoT devices constantly scan the Web for other IoT things to compromise, wriggling into devices that are protected by little more than insecure factory-default settings and passwords. The infected devices are then forced to participate in DDoS attacks (ironically, many of the devices most commonly infected by Mirai and similar IoT worms are security cameras).

Mirai’s ancestors had so many names because each name corresponded to a variant that included new improvements over time. In 2014, a group of Internet hooligans operating under the banner “lelddos” very publicly used the code to launch large, sustained attacks that knocked many Web sites offline.

The most frequent target of the lelddos gang were Web servers used to host Minecraft, a wildly popular computer game sold by Microsoft that can be played from any device and on any Internet connection.

The object of Minecraft is to run around and build stuff, block by large pixelated block. That may sound simplistic and boring, but an impressive number of people positively adore this game – particularly pre-teen males. Microsoft has sold more than a 100 million copies of Minecraft, and at any given time there are over a million people playing it online. Players can build their own worlds, or visit a myriad other blocky realms by logging on to their favorite Minecraft server to play with friends.


A large, successful Minecraft server with more than a thousand players logging on each day can easily earn the server’s owners upwards of $50,000 per month, mainly from players renting space on the server to build their Minecraft worlds, and purchasing in-game items and special abilities.

Perhaps unsurprisingly, the top-earning Minecraft servers eventually attracted the attention of ne’er-do-wells and extortionists like the lelddos gang. Lelddos would launch a huge DDoS attack against a Minecraft server, knowing that the targeted Minecraft server owner was likely losing thousands of dollars for each day his gaming channel remained offline.

Adding urgency to the ordeal, many of the targeted server’s loyal customers would soon find other Minecraft servers to patronize if they could not get their Minecraft fix at the usual online spot.

Robert Coelho is vice president of ProxyPipe, Inc., a San Francisco company that specializes in protecting Minecraft servers from attacks.

“The Minecraft industry is so competitive,” Coelho said. “If you’re a player, and your favorite Minecraft server gets knocked offline, you can switch to another server. But for the server operators, it’s all about maximizing the number of players and running a large, powerful server. The more players you can hold on the server, the more money you make. But if you go down, you start to lose Minecraft players very fast — maybe for good.”

In June 2014, ProxyPipe was hit with a 300 gigabit per second DDoS attack launched by lelddos, which had a penchant for publicly taunting its victims on Twitter just as it began launching DDoS assaults at the taunted.

The hacker group “lelddos” tweeted at its victims before launching huge DDoS attacks against them.

At the time, ProxyPipe was buying DDoS protection from Reston, Va. -based security giant Verisign. In a quarterly report published in 2014, Verisign called the attack the largest it had ever seen, although it didn’t name ProxyPipe in the report – referring to it only as a customer in the media and entertainment business.

Verisign said the 2014 attack was launched by a botnet of more than 100,000 hacked routers sold by a company called SuperMicro. Days before the huge attack on ProxyPipe, a security researcher published information about a vulnerability in the SuperMicro devices that could allow them to be remotely hacked and commandeered for these sorts of attacks.


Coelho recalled that in mid-2015 his company’s Minecraft customers began coming under attack from a botnet made up of IoT devices infected with Qbot. He said the attacks were directly preceded by a threat made by a then-17-year-old Christopher “CJ” Sculti, Jr., the owner and sole employee of a competing DDoS protection company called Datawagon.

Datawagon also courted Minecraft servers as customers, and its servers were hosted on Internet space claimed by yet another Minecraft-focused DDoS protection provider — ProTraf Solutions.

Christopher “CJ” Sculti, Jr.

According to Coelho, ProTraf was trying to woo many of his biggest Minecraft server customers away from ProxyPipe. Coelho said in mid-2015, Sculti reached out to him on Skype and said he was getting ready to disable Coelho’s Skype account. At the time, an exploit for a software weakness in Skype was being traded online, and this exploit could be used to remotely and instantaneously disable any Skype account.

Sure enough, Coelho recalled, his Skype account and two others used by co-workers were shut off just minutes after that threat, effectively severing a main artery of support for ProxyPipe’s customers – many of whom were accustomed to communicating with ProxyPipe via Skype.

“CJ messaged me about five minutes before the DDoS started, saying he was going to disable my skype,” Coelho said. “The scary thing about when this happens is you don’t know if your Skype account has been hacked and under control of someone else or if it just got disabled.”

Once ProxyPipe’s Skype accounts were disabled, the company’s servers were hit with a massive, constantly changing DDoS attack that disrupted ProxyPipe’s service to its Minecraft server customers. Coelho said within a few days of the attack, many of ProxyPipe’s most lucrative Minecraft servers had moved over to servers run protected by ProTraf Solutions.

“In 2015, the ProTraf guys hit us offline tons, so a lot of our customers moved over to them,” Coelho said. “We told our customers that we knew [ProTraf] were the ones doing it, but some of the customers didn’t care and moved over to ProTraf anyway because they were losing money from being down.”

I found Coelho’s story fascinating because it eerily echoed the events leading up to my Sept. 2016 record 620 Gbps attack. I, too, was contacted via Skype by Sculti — on two occasions. The first was on July 7, 2015, when Sculti reached out apropos of nothing to brag about scanning the Internet for IoT devices running default usernames and passwords, saying he had uploaded some kind of program to more than a quarter-million systems that his scans found.

Here’s a snippet of that conversation:

July 7, 2015:

21:37 CJ:
21:37 CJ: vulnerable routers are a HUGE issue
21:37 CJ: a few months ago
21:37 CJ: I scanned the internet with a few sets of defualt logins
21:37 CJ: for telnet
21:37 CJ: and I was able to upload and execute a binary
21:38 CJ: on 250k devices
21:38 CJ: most of which were routers
21:38 Brian Krebs: o_0

The second time I heard from Sculti on Skype was Sept. 20, 2016 — the day of my 620 Gbps attack. Sculti was angry over a story I’d just published that mentioned his name, and he began rather saltily maligning the reputation of a source and friend who had helped me with that story.

Indignant on behalf of my source and annoyed at Sculti’s rant, I simply blocked his Skype account from communicating with mine and went on with my day. Just minutes after that conversation, however, my Skype account was flooded with thousands of contact requests from compromised or junk Skype accounts, making it virtually impossible to use the software for making phone calls or instant messaging.

Six hours after that Sept. 20 conversation with Sculti, the huge 620 Gbps DDoS attack commenced on this site.


Coelho said he believes the main members of lelddos gang were Sculti and the owners of ProTraf. Asked why he was so sure of this, he recounted a large lelddos attack in early 2015 against ProxyPipe that coincided with a scam in which large tracts of Internet address space were temporarily stolen from the company.

According to ProxyPipe, a swath of Internet addresses was hijacked from the company by FastReturn, another DDoS mitigation firm that also specialized in protecting Minecraft servers from attacks. Dyn, a company that closely tracks which blocks of Internet addresses are assigned to which organizations, confirmed the timing of the Internet address hijack that Coelho described.

A few months after that attack, the owner of FastReturn — a young man from Dubai named Ammar Zuberi — went to work as a software developer for ProTraf. In the process, Zuberi transferred the majority of Internet addresses assigned to FastReturn over to ProTraf.

Zuberi told KrebsOnSecurity that he was not involved with lelddos, but he acknowledged that he did hijack ProxyPipe’s Internet address space before moving over to ProTraf.

“I was stupid and new to this entire thing and it was interesting to me how insecure the underlying ecosystem of the Internet was,” Zuberi said. “I just kept pushing the envelope to see how far I could get with that, I guess. I eventually realized though and got away from it, although that’s not really much of a justification.”

According to Zuberi, CJ Sculti Jr. was a member of lelddos, as were the two co-owners of ProTraf. This is interesting because not long after the September 2016 Mirai attack took this site offline, several sources who specialize in lurking on cybercrime forums shared information suggesting that the principal author of Bashlite/Qbot was a ProTraf employee: A 19-year-old computer whiz from Washington, Penn. named Josiah White.

White’s profile on LinkedIn lists him as an “enterprise DDoS mitigation expert” at ProTraf, but for years he was better known to those in the hacker community under the alias “LiteSpeed.”

LiteSpeed is the screen name White used on Hackforums[dot]net – a sprawling English-language marketplace where mostly young, low-skilled hackers can buy and sell cybercrime tools and stolen goods with ease. Until very recently, Hackforums also was the definitive place to buy and sell DDoS-for-hire services.

I contacted White to find out if the rumors about his authorship of Qbot/Bashlite were true. White acknowledged that he had written some of Qbot/Bashlite’s components — including the code segment that the malware uses to spread the infection to new machines. But White said he never intended for his code to be sold and traded online.

White claims that a onetime friend and Hackforums member nicknamed “Vyp0r” betrayed his trust and forced him to publish the code online by threatening to post White’s personal details online and to “swat” his home. Swatting is a potentially deadly hoax in which an attacker calls in a fake hostage situation or bomb threat at a residence or business with the intention of sending a team of heavily-armed police officers to the target’s address.

“Most of the stuff that I had wrote was for friends, but as I later realized, things on HF [Hackforums] tend to not remain private,” White wrote in an instant message to KrebsOnSecurity. “Eventually I learned they were reselling them in under-the-table deals, and so I just released everything to stop that. I made some mistakes when I was younger, and I realize that, but I’m trying to set my path straight and move on.”


White’s employer ProTraf Solutions has only one other employee – 20-year-old President Paras Jha, from Fanwood, NJ. On his LinkedIn profile, Jha states that “Paras is a passionate entrepreneur driven by the want to create.” The profile continues:

“Highly self-motivated, in 7th grade he began to teach himself to program in a variety of languages. Today, his skillset for software development includes C#, Java, Golang, C, C++, PHP, x86 ASM, not to mention web ‘browser languages’ such as Javascript and HTML/CSS.”

Jha’s LinkedIn page also shows that he has extensive experience running Minecraft servers, and that for several years he worked for Minetime, one of the most popular Minecraft servers at the time.

After first reading Jha’s LinkedIn resume, I was haunted by the nagging feeling that I’d seen this rather unique combination of computer language skills somewhere else online. Then it dawned on me: The mix of programming skills that Jha listed in his LinkedIn profile is remarkably similar to the skills listed on Hackforums by none other than Mirai’s author — Anna-Senpai.

Prior to leaking the Mirai source code on HackForums at the end of September 2016, the majority of Anna-Senpai’s posts on Hackforums were meant to taunt other hackers on the forum who were using Qbot to build DDoS attack armies.

The best example of this is a thread posted to Hackforums on July 10, 2016 titled “Killing All Telnets,” in which Anna-Senpai boldly warns forum members that the malicious code powering his botnet contains a particularly effective “bot killer” designed to remove Qbot from infected IoT devices and to prevent systems infected with his malware from ever being reinfected with Qbot again.

Anna-Senpai warns Qbot users that his new worm (relatively unknown by its name “Mirai” at the time) was capable of killing off IoT devices infected with Qbot.

Initially, forum members dismissed Anna’s threats as idle taunts, but as the thread continues for page after page we can see from other forum members that his bot killer is indeed having its intended effect. [Oddly enough, it’s very common for the authors of botnet code to include patching routines to protect their newly-enslaved bots from being compromised by other miscreants.  Just like in any other market, there is a high degree of competition between cybercrooks who are constantly seeking to add more zombies to their DDoS armies, and they often resort to unorthodox tactics to knock out the competition.  As we’ll see, this kind of internecine warfare is a major element in this story.]

“When the owner of this botnet wrote a July 2016 Hackforums thread named ‘Killing all Telnets’, he was right,” wrote Allison Nixon and Pierre Lamy, threat researchers for New York City-based security firm Flashpoint. “Our intelligence around that time reflected a massive shift away from the traditional gafgyt infection patterns and towards a different pattern that refused to properly execute on analysts’ machines. This new species choked out all the others.”

It wasn’t until after I’d spoken with Jha’s business partner Josiah White that I began re-reading every one of Anna-Senpai’s several dozen posts to Hackforums. The one that made Jha’s programming skills seem familiar came on July 12, 2016 — a week after posting his “Killing All Telnets” discussion thread — when Anna-Senpai contributed to a Hackforums thread started by a hacker group calling itself “Nightmare.”

Such groups or hacker cliques are common on Hackforums, and forum members can apply for membership by stating their skills and answering a few questions. Anna-Senpai posted his application for membership into this thread among dozens of others, describing himself thusly:

Age: 18+

Location and Languages Spoken: English

Which of the aforementioned categories describe you the best?: Programmer / Development

What do you Specialize in? (List only): Systems programming / general low level languages (C + ASM)

Why should we choose you over other applicants?: I have 8 years of development under my belt, and I’m very familiar with programming in a variety of languages, including ASM, C, Go, Java, C#, and PHP. I like to use this knowledge for personal gain.”

The Hackforums post shows Jha and Anna-Senpai have the exact same programming skills. Additionally, according to an analysis of Mirai by security firm Incapsula, the malicious software used to control a botnet powered by Mirai is coded in Go (a.k.a. “Golang”), a somewhat esoteric programming language developed by Google in 2007 that saw a surge in popularity in 2016. Incapsula also said the malcode that gets installed on IoT bots is coded in C.


I began to dig deeper into Paras Jha’s history and footprint online, and discovered that his father in October 2013 registered a vanity domain for his son, That site is no longer online, but a historic version of it cached by the indispensable Internet Archive includes a resume of Jha’s early work with various popular Minecraft servers. Here’s a autobiographical snippet from

“My passion is to utilize my skills in programming and drawing to develop entertaining games and software for the online game ‘Minecraft. Someday, I plan to start my own enterprise focused on the gaming industry targeted towards game consoles and the mobile platform. To further my ideas and help the gaming community, I have released some of my code to open source projects on websites centered on public coding under the handle dreadiscool.”

A Google search for this rather unique username “dreadiscool” turns up accounts by the same name at dozens of forums dedicated to computer programming and Minecraft. In many of those accounts, the owner is clearly frustrated by incessant DDoS attacks targeting his Minecraft servers, and appears eager for advice on how best to counter the assaults.

From Dreadiscool’s various online postings, it seems clear that at some point Jha decided it might be more profitable and less frustrating to defend Minecraft servers from DDoS attacks, as opposed to trying to maintain the servers themselves.

“My experience in dealing with DDoS attacks led me to start a server hosting company focused on providing solutions to clients to mitigate such attacks,” Jha wrote on his vanity site.

Some of the more recent Dreadiscool posts date to November 2016, and many of those posts are lengthy explanations of highly technical subjects. The tone of voice in these posts is far more confident and even condescending than the Dreadiscool from years earlier, covering a range of subjects from programming to DDoS attacks.

Dreadiscool’s account on Spigot Minecraft forum since 2013 includes some interesting characters photoshopped into this image.

For example, Dreadiscool has been an active member of the Minecraft forum since 2013. This user’s avatar (pictured above) on is an altered image taken from the 1994 Quentin Tarantino cult hit “Pulp Fiction,” specifically from a scene in which the gangster characters Jules and Vincent are pointing their pistols in the same direction. However, the heads of both actors have been digitally altered to include someone else’s faces.

Pasted over the head of John Travolta’s character (left) is a real-life picture of Vyp0r — the Hackforums nickname of the guy that ProTraf’s Josiah White said threatened him into releasing the source code for Bashlite. On the shoulders of Samuel L. Jackson’s body is the face of Tucker Preston, co-founder of BackConnect Security — a competing DDoS mitigation provider that also has a history of hijacking Internet address ranges from other providers.

Pictured below and to the left of Travolta and Jackson’s characters — seated on the bed behind them — is “Yamada,” a Japanese animation (“anime”) character featured in the anime movie B Gata H Hei.

Turns out, there is a Dreadiscool user on, a site where members proudly list the various anime films they have watched. Dreadiscool says B Gata H Kei is one of nine anime film series he has watched. Among the other eight? The anime series Mirai Nikki, from which the Mirai malware derives its name.

Dreadiscool’s Reddit profile also is very interesting, and most of the recent posts there relate to major DDoS attacks going on at the time, including a series of DDoS attacks on Rutgers University. More on Rutgers later.


At around the same time as the record 620 Gbps attack on KrebsOnSecurity, French Web hosting giant OVH suffered an even larger attack — launched by the very same Mirai botnet used to attack this site. Although this fact has been widely reported in the news media, the reason for the OVH attack may not be so well known.

According to a tweet from OVH founder and chief technology officer Octave Klaba, the target of that massive attack also was a Minecraft server (although Klaba mistakenly called the target “mindcraft servers” in his tweet).

A tweet from OVH founder and CTO, stating the intended target of Sept. 2016 Mirai DDoS on his company.

Turns out, in the days following the attack on this site and on OVH, Anna-Sempai had trained his Mirai botnet on Coelho’s ProxyPipe, completely knocking his DDoS mitigation service offline for the better part of a day and causing problems for many popular Minecraft servers.

Unable to obtain more bandwidth and unwilling to sign an expensive annual contract with a third-party DDoS mitigation firm, Coelho turned to the only other option available to get out from under the attack: Filing abuse complaints with the Internet hosting firms that were responsible for providing connectivity to the control server used to orchestrate the activities of the Mirai botnet.

“We did it because we had no other options, and because all of our customers were offline,” Coelho said. “Even though no other DDoS mitigation company was able to defend against these attacks [from Mirai], we still needed to defend against it because our customers were starting to move to other providers that attracted fewer attacks.”

After scouring a list of Internet addresses tied to bots used in the attack, Coelho said he was able to trace the control server for the Mirai botnet back to a hosting provider in Ukraine. That company — BlazingFast[dot]io — has a reputation for hosting botnet control networks.

Getting no love from BlazingFast, Coelho said he escalated his complaint to Voxility, a company that was providing DDoS protection to BlazingFast at the time.

“Voxility acknowledged the presence of the control server, and said they null-routed [removed] it, but they didn’t,” Coelho said. “They basically lied to us and didn’t reply to any other emails.”

Undeterred, Coelho said he then emailed the ISP that was upstream of BlazingFast, but received little help from that company or the next ISP further upstream. Coelho said the fifth ISP upstream of BlazingFast, however — Internet provider Telia Sonera — confirmed his report, and promptly had the Mirai botnet’s control server killed.

As a result, many of the systems infected with Mirai could no longer connect to the botnet’s control servers, drastically reducing the botnet’s overall firepower.

“The action by Telia cut the size of the attacks launched by the botnet down to 80 Gbps,” well within the range of ProxyPipe’s in-house DDoS mitigation capabilities, Coelho said.

Incredibly, on Sept. 28, Anna-Senpai himself would reach out to Coelho via Skype. Coelho shared a copy of that chat conversation with KrebsOnSecurity. The log shows that Anna correctly guessed ProxyPipe was responsible for the abuse complaints that kneecapped Mirai. Anna-Senpai said he guessed ProxyPipe was responsible after reading a comment on a KrebsOnSecurity blog post from a reader who shared the same username as Coelho’s business partner.

In the following chat, Coelho is using the Skype nickname “katie.onis.”

[10:23:08 AM] live:anna-senpai: ^
[10:26:08 AM] katie.onis: hi there.
[10:26:52 AM] katie.onis: How can I help you?
[10:28:06 AM] live:anna-senpai: hi
[10:28:45 AM] live:anna-senpai: you know i had my suspicions, but this one was proof [this is a benign/safe link to a screenshot of some comments on]

[10:28:59 AM] live:anna-senpai: don’t get me wrong, im not even mad, it was pretty funny actually. nobody has ever done that to my c2 [Mirai “command and control” server]
[10:29:25 AM] live:anna-senpai: (goldmedal)
[10:29:29 AM] katie.onis: ah you’re mistaken, that’s not us.
[10:29:33 AM] katie.onis: but we know who it is
[10:29:42 AM] live:anna-senpai: eric / 9gigs
[10:29:47 AM] katie.onis: no, 9gigs is erik
[10:29:48 AM] katie.onis: not eric
[10:29:53 AM] katie.onis: different people
[10:30:09 AM] live:anna-senpai: oh?
[10:30:17 AM] katie.onis: yep
[10:30:39 AM] live:anna-senpai: is he someone related to you guys?
[10:30:44 AM] katie.onis: not related to us, we just know him
[10:30:50 AM] katie.onis: anyway, we’re not interested in any harm, we simply don’t want attacks against us.
[10:31:16 AM] live:anna-senpai: yeah i figured, i added you because i wanted to tip my hat if that was actually you lol
[10:31:24 AM] katie.onis: we didn’t make that dumb post
[10:31:26 AM] katie.onis: if that is what you are asking
[10:31:30 AM] katie.onis: but yes, we were involved in doing that.
[10:31:47 AM] live:anna-senpai: so you got it nulled, but some other eric is claiming credit for it?
[10:31:52 AM] katie.onis: seems so.
[10:31:52 AM] live:anna-senpai: eric with a c
[10:31:56 AM] live:anna-senpai: lol
[10:32:17 AM] live:anna-senpai: can’t say im surprised, tons of people take credit for things that they didn’t do if nobody else takes credit for
[10:32:24 AM] katie.onis: we’re not interested in taking credit
[10:32:30 AM] katie.onis: we just wanted the attacks to get smaller


One reason Anna-Senpai may have been enamored of Coelho’s approach to taking down Mirai is that Anna-Senpai had spent the previous month doing exactly the same thing to criminals running IoT botnets powered by Mirai’s top rival — Qbot.

A month before this chat between Coelho and Anna-Senpai, Anna is busy sending abuse complaints to various hosting firms, warning them that they are hosting huge IoT botnet control channels that needed to be shut down. This was clearly just part of an extended campaign by the Mirai botmasters to eliminate other IoT-based DDoS botnets that might compete for the same pool of vulnerable IoT devices. Anna confirmed this in his chat with Coelho:

[10:50:36 AM] live:anna-senpai: i have good killer so nobody else can assemble a large net
[10:50:53 AM] live:anna-senpai: i monitor the devices to see for any new threats
[10:51:33 AM] live:anna-senpai: and when i find any new host, i get them taken down

The ISPs or hosting providers that received abuse complaints from Anna-Senpai were all encouraged to reply to the email address for questions and/or confirmation of the takedown. ISPs that declined to act promptly on Anna-Senpai’s Qbot email complaints soon found themselves on the receiving end of enormous DDoS attacks from Mirai.

Francisco Dias, owner of hosting provider Frantech, found out firsthand what it would cost to ignore one of Anna’s abuse reports. In mid-September 2016, Francisco accidentally got into an Internet fight with Anna-Senpai.  The Mirai botmaster was using the nickname “jorgemichaels” at the time — and Jorgemichaels was talking trash on, a discussion forum for vendors of low-costing hosting.

Specifically, Jorgemichaels takes Francisco to task publicly on the forum for ignoring one of his Qbot abuse complaints. Francisco tells Jorgemichaels to file a complaint with the police if it’s so urgent. Jorgemichaels tells Francisco to shut up, and when Francisco is silent for a while Jorgemichaels gloats that Francisco learned his place. Francisco explains his further silence on the thread by saying he’s busy supporting customers, to which Jorgemichaels replies, “Sounds like you just got a lot more customers to help. Don’t mess with the underworld francisco or it will harm your business.”

Shortly thereafter, Frantech is systematically knocked offline after being attacked by Mirai. Below is a fascinating snippet from a private conversation between Francisco and Anna-Senpai/Jorgemichaels, in which Francisco kills the reported Qbot control server to make Anna/Jorgemichaels call off the attack.

Using the nickname “jorgemichaels” on LowEndTalk, Anna-Senpai reaches out to Francisco Dias after Dias ignores Anna’s abuse complaint. Francisco agrees to kill the Qbot control server only after being walloped with Mirai.

Back to the chat between Anna-Senpai and Coelho at the end of Sept 2016.  Anna-Senpai tells Coelho that the attacks against ProxyPipe aren’t personal; they’re just business. Anna says he has been renting out “net spots” — sizable chunks of his Mirai botnet — to other hackers who use them in their own attacks for pre-arranged periods of time.

By way of example, Anna brags that as he and Coelho are speaking, the owners of a large Minecraft server were paying him to launch a crippling DDoS against Hypixel, currently the world’s most popular Minecraft server. KrebsOnSecurity confirmed with Hypixel that they were indeed under a massive attack from Mirai between Sept. 27 and 30.

[12:24:00 PM] live:anna-senpai: right now i just have a script sitting there hitting them for 45s every 20 minutes
[12:24:09 PM] live:anna-senpai: enough to drop all players and make them rage

Coelho told KrebsOnSecurity that the on-again, off-again attack DDoS method that Anna described using against Hypixel was designed not just to cost Hypixel money. The purpose of that attack method, he said, was to aggravate and annoy Hypixel’s customers so much that they might take their business to a competing Minecraft server.

“It’s not just about taking it down, it’s about making everyone who is playing on that server crazy mad,” Coelho explained. “If you launch the attack every 20 minutes for a short period of time, you basically give the players just enough time to get back on the server and involved in another game before they’re disconnected again.”

Anna-Senpai told Coelho that paying customers also were the reason for the 620 Gbps attack on KrebsOnSecurity. Two weeks prior to that attack, I published the results of a months-long investigation revealing that “vDOS” — one of the largest and longest-running DDoS-for-hire services — had been hacked, exposing details about the services owners and customers.

The story noted that vDOS earned its proprietors more than $600,000 and was being run by two 18-year-old Israeli men who went by the hacker aliases “applej4ck” and “p1st0”. Hours after that piece ran, Israeli authorities arrested both men, and vDOS — which had been in operation for four years — was shuttered for good.

[10:47:42 AM] live:anna-senpai: i sell net spots, starting at $5k a week
[10:47:50 AM] live:anna-senpai: and one client was upset about applejack arrest
[10:48:01 AM] live:anna-senpai: so while i was gone he was sitting on them for hours with gre and ack
[10:48:14 AM] live:anna-senpai: when i came back i was like oh fuck
[10:48:16 AM] live:anna-senpai: and whitelisted the prefix
[10:48:24 AM] live:anna-senpai: but then krebs tweeted that akamai is kicking them off
[10:48:31 AM] live:anna-senpai: fuck me
[10:48:43 AM] live:anna-senpai: he was a cool guy too, i like his article

[SIDE NOTE: If true, it’s ironic that someone would hire Anna-Senpai to attack my site in retribution for the vDOS story. That’s because the firepower behind applej4ck’s vDOS service was generated in large part by a botnet of IoT systems infected with a Qbot variant — the very same botnet strain that Anna-Senpai and Mirai were busy killing and erasing from the Internet.]

Coelho told KrebsOnSecurity that if his side of the conversation reads like he was being too conciliatory to his assailant, that’s because he was wary of giving Anna a reason to launch another monster attack against ProxyPipe. After all, Coelho said, the Mirai attacks on ProxyPipe caused many customers to switch to other Minecraft servers, and Coelho estimates the attack cost the company between $400,000 and $500,000.

Nevertheless, about halfway through the chat Coelho gently confronts Anna on the consequences of his actions.

[10:54:17 AM] katie.onis: People have a genuine reason to be unhappy though about large attacks like this
[10:54:27 AM] live:anna-senpai: yeah
[10:54:32 AM] katie.onis: There’s really nothing anyone can do lol
[10:54:36 AM] live:anna-senpai:
[10:54:38 AM] katie.onis: And it does affect their lives
[10:55:10 AM] live:anna-senpai: well, i stopped caring about other people a long time ago
[10:55:18 AM] live:anna-senpai: my life experience has always been get fucked over or fuck someone else over
[10:55:52 AM] katie.onis: My experience with [ProxyPipe] thus far has been
[10:55:54 AM] katie.onis: Do nothing bad to anyone
[10:55:58 AM] katie.onis: And still get screwed over
[10:55:59 AM] katie.onis: Haha

The two even discussed anime after Anna-Senpai guessed that Coelho might be a fan of the genre. Anna-Senpai says he watched the anime series “Gate,” a reference to the above-mentioned B Gata H Hei that Dreadiscool included in the list of anime film series he’s watched. Anna also confirms that the name for his bot malware was derived from the anime series Mirai Nikki.

[5:25:12 PM] live:anna-senpai: i rewatched mirai nikki recently
[5:25:22 PM] live:anna-senpai: (it was the reason i named my bot mirai lol)


Coelho said when Anna-Senpai first reached out to him on Skype, he had no clue about the hacker’s real-life identity. But a few weeks after that chat conversation with Anna-Senpai, Coelho’s business partner (the Eric referenced in the first chat segment above) said he noticed that some of the code in Mirai looked awfully similar to code that Dreadiscool had posted to his Github account.

“He started to come to the conclusion that maybe Anna was Paras,” Coelho said. “He gave me a lot of ideas, and after I did my own investigation I decided he was probably right.”

Coelho said he’s known Paras Jha for more than four years, having met him online when Jha was working for Minetime — which ProxyPipe was protecting from DDoS attacks at the time.

“We talked a lot back then and we used to program a lot of projects together,” Coelho said. “He’s really good at programming, but back then he wasn’t. He was a little bit behind, and I was teaching him most everything.”

According to Coelho, as Jha became more confident in his coding skills, he also grew more arrogant, belittling others online who didn’t have as firm a grasp on subjects such as programming and DDoS mitigation.

“He likes to be recognized for his knowledge, being praised and having other people recognize that,” Coelho said of Jha. “He brags too much, basically.”

Coelho said not long after Minetime was hit by a DDoS extortion attack in 2013, Paras joined Hackforums and fairly soon after stopped responding to his online messages.

“He just kind of dropped off the face of the earth entirely,” he said. “When he started going on Hackforums, I didn’t know him anymore. He became a different person.”

Coelho said he doesn’t believe his old friend wished him harm, and that Jha was probably pressured into attacking ProxyPipe.

“In my opinion he’s still a kid, in that he gets peer-pressured a lot,” Coelho said. “If he didn’t [launch the attack] not only would he feel super excluded, but these people wouldn’t be his friends anymore, they could out him and screw him over. I think he was pretty much in a really bad position with the people he got involved with.”


On Dec. 16, security vendor Digital Shadows presented a Webinar that focused on clues about the Mirai author’s real life identity. According to their analysis, before the Mirai author was known as Anna-Senpai on Hackforums, he used the nickname “Ogmemes123123” (this also was the alias of the Skype username that contacted Coelho), and the email address (recall this is the same email address Anna-Senpai used in his alerts to various hosting firms about the urgent need to take down Qbot control servers hosted on their networks).

Digital Shadows noted that the Mirai author appears to have used another nickname: “OG_Richard_Stallman,” a likely reference to the founder of the Free Software Foundation. The account was used to register a Facebook account in the name of OG_Richard Stallman.

That Facebook account states that OG_Richard_Stallman began studying computer engineering at New Brunswick, NJ-based Rutgers University in 2015.

As it happens, Paras Jha is a student at Rutgers University. This is especially notable because Rutgers has been dealing with a series of DDoS attacks on its network since the fall semester of 2015 — more than a half dozen incidents in all. With each DDoS, the attacker would taunt the university in online posts and media interviews, encouraging the school to spend the money to purchase some kind of DDoS mitigation service.

Using the nicknames  “og_richard_stallman,” “exfocus” and “ogexfocus,” the person who attacked Rutgers more than a half-dozen times took to Reddit and Twitter to claim credit for the attacks. Exfocus even created his own “Ask Me Anything” interview on Reddit to discuss the Rutgers attacks.

Exfocus also gave an interview to a New Jersey-based blogger, claiming he got paid $500 an hour to DDoS the university with as many as 170,000 bots. Here are a few snippets from that interview, in which he blames the attacks on a “client” who is renting his botnet:

Are you for real? Why would you do an interview with us if you’re getting paid?

Normally I don’t show myself, but the entity paying me has something against the school. They want me to “make a splash”.

Why do you have a twitter account where you publically broadcast patronizing messages. Are you worried that this increases the risk of things getting back to you?

Public twitter is on clients request. The client hates the school for whatever reason. They told me to say generic things like that I hate the bus system and etc.

Have you ever attacked RU before?

During freshman registration the client requested it also – he didn’t want any publicity then though.

What are your plans for the future in terms of DDOSing and attacking the Rutgers cyber infrastructure?

When I stop getting paid – I’ll stop DDosing lol. I’m hoping that RU will sign on some ddos mitigation provider. I get paid extra if that happens.

At some point you said you were at the Livingston student center – outside of Sbarro. In this interview you said that you aren’t affiliated directly with Rutgers, did you lie then?


An online search for the Gmail address used by Anna-Senpai and OG_Richard_Stallman turns up a Pastebin post from July 1, 2016, in which an anonymous Pastebin user creates a “dox” of OG_Richard_Stallman. Doxing refers to the act of publishing someone’s personal information online and/or connecting an online alias to a real life identity.

The dox said OG_Richard_Stallman was connected to an address and phone number of an individual living in Turkey. But this is almost certainly a fake dox intended to confuse cybercrime investigators. Here’s why:

A Google search shows that this same address and phone number showed up in another dox on Pastebin from almost three years earlier — June 2013 — intended to expose or confuse the identity of a Hackforums user known as LiteSpeed. Recall that LiteSpeed is the same alias that ProTraf’s Josiah White acknowledged using on Hackforums.


This OG_Richard_Stallman identity is connected to Anna-Senpai by another person we’ve heard from already: Francisco Dias, whose Frantech ISP was attacked by Anna-Senpai and Mirai in mid-September. Francisco told KrebsOnSecurity that in early August 2016 he began receiving extortion emails from a Gmail address associated with a OG_Richard_Stallman.

“This guy using the Richard Stallman name added me on Skype and basically said ‘I’m going to knock all of your [Internet addresses] offline until you pay me’,” Dias recalled. “He told me the up front cost to stop the attack was 10 bitcoins [~USD $5,000 at the time], and if I didn’t pay within four hours after the attack started the fee would double to 20 bitcoins.”

Dias said he didn’t pay the demand and eventually OG_Richard_Stallman called off the attack. But he said for a while the attacks were powerful enough to cause problems for Frantech’s Internet provider.

“He was hitting us so hard with Mirai that he was dropping large parts of Hurricane Electric and causing problems at their Los Angeles point of presence,” Dias said. “I basically threw everything behind [DDoS mitigation provider] Voxility, and eventually Stallman buggered off.”

The OG_Richard_Stallman identity also was tied to similar extortion attacks at the beginning of August against one hosting firm that had briefly been one of ProTraf’s customers in 2016. The company declined to be quoted on the record, but said it stopped doing business with Protraf in mid-2016 because they were unhappy with the quality of service.

The Internet provider said not long after that it received an extortion demand from the “OG_Richard_Stallman” character for $5,000 in Bitcoin to avoid a DDoS attack. One of the company’s researchers contacted the extortionist via the address supplied in the email, but posing as someone who wished to hire some DDoS services.

OG_Richard_Stallman told the researcher that he could guarantee 350 Gbps of attack traffic and that the target would go down or the customer would receive a full refund. The price for the attack? USD $100 worth of Bitcoin for every five minutes of attack time.

My source at the hosting company said his employer declined to pay the demand, and subsequently got hit with an attack from Mirai that clocked in at more than 300 Gbps.

“Clearly, the attacker is very technical, as they attacked every single [Internet address] within the subnet, and after we brought up protection, he started attacking upstream router interfaces,” the source said on condition of anonymity.

Asked who they thought might be responsible for the attacks, my source said his employer immediately suspected ProTraf. That’s because the Mirai attack also targeted the Internet address for the company’s home page, but that Internet address was hidden by DDoS mitigation firm Cloudflare. However, ProTraf knew about the secret address from its previous work with the company, the source explained.

“We believe it’s Protraf’s staff or someone related to Protraf,” my source said.

A source at an Internet provider agreed to share information about an extortion demand his company received from OG_Richard_Stallman in August 2016. Here he is contacting the Stallman character directly and pretending to be someone interested in renting a botnet. Notice the source brazenly said he wanted to DDoS ProTraf.


After months of gathering information about the apparent authors of Mirai, I heard from Ammar Zuberi, once a co-worker of ProTraf President Paras Jha.

Zuberi told KrebsOnSecurity that Jha admitted he was responsible for both Mirai and the Rutgers DDoS attacks. Zuberi said when he visited Jha at his Rutgers University dorm in October 2015, Paras bragged to him about launching the DDoS attacks against Rutgers.

“He was laughing and bragging about how he was going to get a security guy at the school fired, and how they raised school fees because of him,” Zuberi recalled.  “He didn’t really say why he did it, but I think he was just sort of experimenting with how far he could go with these attacks.”

Zuberi said he didn’t realize how far Jha had gone with his DDoS attacks until he confronted him about it late last year. Zuberi said he was on his way to see his grandmother in Arizona at the end of November 2016, and he had a layover in New York. So he contacted Jha and arranged to spend the night at Jha’s home in Fanwood, New Jersey.

As I noted in Spreading the DDoS Disease and Selling the Cure, Anna-Senpai leaked the Mirai code on a domain name (santasbigcandycane[dot]cx) that was registered via Namecentral, an extremely obscure domain name registrar which had previously been used to register fewer than three dozen other domains over a three-year period.

According to Zuberi, only five people knew about the existence of Namecentral: himself, CJ Sculti, Paras Jha, Josiah White and Namecentral’s owner Jesse Wu (19-year-old Wu features prominently in the DDoS Disease story linked in the previous paragraph).

“When I saw that the Mirai code had been leaked on that domain at Namecentral, I straight up asked Paras at that point, ‘Was this you?,’ and he smiled and said yep,” Zuberi recalled. “Then he told me he’d recently heard from an FBI agent who was investigating Mirai, and he showed me some text messages between him and the agent. He was pretty proud of himself, and was bragging that he led the FBI on a wild goose chase.”

Zuberi said he hasn’t been in contact with Jha since visiting his home in November. Zuberi said he believes Jha wrote most of the code that Mirai uses to control the individual bot-infected IoT devices, since it was written in Golang and Jha’s partner White didn’t code well in this language. Zuberi said he thought White’s role was mainly in developing the spreading code used to infect new IoT devices with Mirai, since that was written in C — a language White excelled at.

In the time since most of the above occurred, the Internet address ranges previously occupied by ProTraf have been withdrawn. ProxyPipe’s Coelho said it could be that the ProTraf simply ran out of money.

ProTraf’s Josiah White explained the disappearance of ProTraf’s Internet space as part of an effort to reboot the company.

“We [are] in the process of restructuring and refocusing what we are doing,” White told KrebsOnSecurity.

Jha did not respond to requests for comment.

Rutgers University did not respond to requests for comment.

The FBI officials could not be immediately reached for comment.

A copy of the entire chat between Anna-Senpai and ProxyPipe’s Coelho is available here.


Posted in Blogs, Security | Tagged , , , | Leave a comment

Before You Pay that Ransomware Demand…

Before You Pay that Ransomware Demand…

Krebs On Security December 22 2016

A decade ago, if a desktop computer got infected with malware the chief symptom probably was an intrusive browser toolbar of some kind. Five years ago you were more likely to get whacked by a banking trojan that stole all your passwords and credit card numbers. These days if your mobile or desktop computer is infected what gets installed is likely to be “ransomware” — malicious software that locks your most prized documents, songs and pictures with strong encryption and then requires you to pay for a key to unlock the files.

Here’s some basic advice about where to go, what to do — and what not to do — when you or someone you know gets hit with ransomware.


First off — breathe deep and try not to panic. And don’t pay the ransom.

True, this may be easier said than done: In many cases the ransom note that hijacks the victim’s screen is accompanied by a digital clock ominously ticking down the minutes and seconds from 72 hours. When the timer expires, the ransom demand usually goes up or even doubles. Continue to ignore the demands and your files will be gone, kaput, nil, nyet, zilch, done forever, warns the extortion message.

See, the key objective of ransomware is a psychological one — to instill fear, uncertainty and dread in the victim — and to sow the conclusion in the victim’s mind that any solution for restoring full access to all his files involves paying up. Indeed, paying the ransom is often the easiest, fastest and most complete way of reversing a security mistake, such as failing to patch, opening a random emailed document e.g., or clicking a link that showed up unbidden in instant message. Some of the more advanced and professional ransomware operations have included helpful 24/7 web-based tech support.

The ransom note from a recent version of the "Locky" ransomware variant. Image:

Paying up is certainly not the cheapest option. The average ransom demanded is approximately $722, according to an analysis published in September by Trend Micro. Interestingly, Trend found the majority of organizations that get infected by ransomware end up paying the ransom. They also found three-quarters of companies which had not suffered a ransomware infection reported they would not pay up when presented with a data ransom demand. Clearly, people tend to see things differently when they’re the ones in the hot seat.

And for those not yet quite confident in the ways of Bitcoin (i.e. most victims), paying up means a crash course in acquiring the virtual currency known as Bitcoin. Some ransomware attackers are friendlier than others in helping victims wade through the process of setting up an account to handle Bitcoin, getting it funded, and figuring out how to pay other people with it. Others just let you figure it all out. The entire ordeal is a trial by fire for sure, but it can also be a very expensive, humbling and aggravating experience.

In the end the extortionist may bargain with you if they’re in a good mood, or if you have a great sob story. But they still want you to know that your choice is a binary one: Pay up, or kiss your sweet files goodbye forever.

This scenario reminds me of the classic short play/silent movie about the villainous landlord and the poor young lady who can’t pay the rent. I imagine the modern version of this play might go something like…

mustpaytherentVillain: You MUST pay the ransom!

Victim: I CAN’T pay the ransom!

Villain: You MUST pay the ransom!

Victim: I CAN’T pay the ransom!

Hero: I’ll pay the ransom!

Victim: Oh! My hero!

Villain: Curses! Foiled again!

Okay, nobody’s going to pay the ransomware demand for you (that’s only in Hollywood!). But just like the hero in the silent movie, there are quite a few people out there who are in fact working hard to help victims avoid paying the ransom (AND get their files back to boot).

Assuming you don’t have a recent backup you can restore, fear not: With at least some strains of ransomware, the good guys have already worked out a way to break or sidestep the encryption, and they’ve posted the keys needed to unlock these malware variants free of charge online.

But is the strain that hit your device one that experts already know how to crack? 


The first place victims should look to find out is, a site backed by security firms and cybersecurity organizations in 22 countries. Since its launch on July 25, 2016, estimates that it has been able to save 6,000 victims of ransomware more than $2 million USD to date. Last week the group announced the site is now available in Dutch, French, Italian, Portuguese and Russian.


Visit the Crypto Sheriff page at, upload one of the files encrypted by the ransomware, and the site will let you know if there is a solution available to unlock all of your files for free.

Another destination that may be useful for ransomware victims is, which has an excellent Ransomware Help and Tech Support section that is quite useful and may save you a great deal of time and money. But please don’t just create an account here and cry for help. Your best bet is to read the “pinned” notes at the top of that section and follow the instructions carefully.

Chances are, whoever responds to your request will want you to have run a few tools to help identify which strain of ransomware hit your system before agreeing to help. So please be patient and be kind, and remember that if someone decides to help you here they are likely doing so out of their own time and energy.'s ransomware guide.


Regularly backup your data, and make sure the backups are not connected to the computers and networks they are backing up. Most ransomware variants can encrypt files on any attached drives or network files that are also accessible to the host machine (including cloud hosting and cloud-based backups if those passwords are stored on the machine). Bleepingcomputer’s Lawrence Abrams just published this a nice primer called How to Protect and Harden a Computer Against Ransomware.

Many companies are now selling products that claim to block ransomware attacks. Those claims are beyond the scope of this article, but don’t be lulled into thinking these products will always protect you.

Even products that could somehow block all ransomware attacks can’t prevent the biggest reason that ransomware attacks succeed: They trick victims into taking an action that inadvertently undermines the security of their device — be it a smart phone, tablet or desktop computer.

This usually involves clicking a link or downloading and opening a file that arrives in an email or instant message. In either case, it is an action that opens the door to the attacker to download and install malware.

Remember my Three Rules of Online Security:

...For Online Safety.

1: If you didn’t go looking for it, don’t install it.

2: If you installed it, update it.

3: If you no longer need it (or, if it’s become too big of a security risk) get rid of it.

These rules apply no matter what device you use to get online, but I’ll add a few recommendations here that are more device-specific. For desktop users, some of the biggest risks come from insecure browser plugins, as well as malicious Microsoft Office documents and “macros” sent via email and disguised as invoices or other seemingly important, time-sensitive documents.

Microsoft has macros turned off by default in most modern Office versions because they allow attackers to take advantage of resources on the target’s computer that could result in running code on the system. So understand that responding affirmatively to an “Enable Macros?” prompt in an Office document you received externally and were not expecting is extremely risky behavior.

Enterprises can use a variety of group policy changes to harden their defenses against ransomware attacks, such as this one which blocks macros from opening and automatically running in Office programs on Windows 10. Other ransomware-specific group policy guides are here, here and here (happy to add more “here’s” here if they are worthy, let me know).

Also, get rid of or hobble notoriously insecure, oft-targeted browser plugins that require frequent security updates — like Java and Flash. If you’re not good about updating these programs frequently, you may fall victim to an exploit kit that delivers ransomware. Exploit kits are malicious programs made to be stitched into hacked or malicious Web sites. People who visit these sites or who are redirected to them and who are browsing the Web with an outdated version of Flash or Java can have malware automatically and quietly installed.

Mobile users in general need to spend just a tiny fraction more time discerning the origin and reputation of the applications they wish to install, as mobile ransomware variants tend to mimic or even piggyback on popular games and applications found in app stores and other places. Don’t just download the first app that matches your search. And always download from the original source whenever possible to ensure you’re not getting a copycat, counterfeit or malicious version of the game or application that you’re seeking.

For more tips on how not to become the next ransomware victim, check out the bottom half of the FBI’s most recent advisory on the topic.

Posted in Security | Tagged , , , , , , | Leave a comment

Don’t be a Victim of These Common Phishing Attacks


McAfee, J. (2016). An email hack can destroy our digital world and we won’t see it coming.

Computer Associates (2005). Types of Phishing Attacks.

Levine, K. (2015). How to Identify 5 Common Phishing Attacks.

Norton (2016). Spear Phishing: Scam, Not Sport.

Krebs, B. (2015). Tech Firm Ubiquiti Suffers $46M Cyberheist.

Norton (2016). How to Protect Against Pharming.

Sullivan, D. (2015). Two Dropbox Phishing Scams Cause Consumer Problems.

Johnston, N. (2014). Sophisticated Google Drive Phishing Scam Returns.


Posted in Education, Privacy, Security | Tagged , , , , | Leave a comment

How to Use “New Tab” in Chrome as a Note Taker

How to Use “New Tab” in Chrome as a Note Taker


There are plenty of uses for Google Chrome’s new tab, and with the extensionNew Tab Draft, you can turn it into a note taker.

The extension has absolutely no bells and whistles. When you launch a new tab, you’ll be presented to a distraction free blank page to write on. If you close the tab and re-open it, you’ll find the same text that you had typed there before.

According to the New Tab Draft developer, the content is saved on your browser, and not on a server.

Different Uses for New Tab Draft

New Tab Draft is extremely simple. There’s no way to save more than one note at a time, and you’ll find no text formatting options. So why use New Tab Draft?

The first reason is its simplicity. If you’re just looking for an easy place to take notes during a meeting, to start writing a blog post or story, or just want to jot down an idea before you forget — it’s right there at your fingertips as you browse online.

The blank white page makes sure you focus on one thing and one thing alone — what you want to write. Another great use for New Tab Draft is to save text that you find that you use a lot.

Another great use for New Tab Draft is to save text that you find that you use a lot. If you send out a lot of repetitive emails, or tend to have to type the same thing over and over again in your browser, why not use New Tab Draft as a repository for all those phrases for easy access?

A third way you can use the extension is as a daily to-do list. You can create a list of your tasks for the day, and delete them as they are completed. It’s a great way to keep everything you need to stay on top of just one tab away.

In addition to using it as a note taker, New Tab Draft allows you to perform simple math calculations.

Posted in Blogs, Google | Tagged , , | Leave a comment