Attacks/Breaches

8/28/2017
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Massive Android DDoS Botnet Derailed

WireX was being used to launch DDoS attacks against targets in multiple industries; Google removes 300 botnet-related apps from Play Store.

Researchers from multiple organizations teamed up to disrupt a massive Android-device botnet dubbed WireX that was being used to launch distributed denial-of-service attacks against targets in a variety of industries including hospitality, gambling, porn, and domain name registrars.

Google, which was informed of the threat a few days ago has scrubbed its Play Store mobile app store clean of some 300 malicious Android apps that were being used to infect Android devices and co-opt them into the WireX botnet. The company is currently in the process of removing the malware from an undisclosed number of infected Android devices around the world.

WireX appears to have first surfaced on August 2 and remained unnoticed till August 15th when researchers from multiple security companies began observing it being used in prolonged DDoS attacks, some involving a minimum of 70,000 IP addresses. An analysis of the DDoS attack data showed that it came from infected devices in more than 100 countries.

Among those who collaborated in taking down the threat were Akamai, Flashpoint, Cloudflare, Oracle Dyn, RiskIQ, and Team Cymru.

In a joint blog post today, researchers from the company described WireX as a volumetric DDoS attack targeting the application layer. The traffic generated by the compromised Android devices was mostly comprised of HTTP GET requests that appeared to come from valid clients and web browsers. In some cases the traffic resembled HTTP POST requests as well.

The sheer size of the botnet and the fact it was comprised of infected mobile devices from as many as 100 different countries is somewhat unusual for modern DDoS attacks, the researchers said.

"This botnet is capable of pushing HTTPS, which exhausts even more resources than a regular HTTP flood," says Allison Nixon, director of security research at Flashpoint. "The size of the botnet is also extremely large, and both of these qualities are uncommon" in DDoS attacks, Nixon says.

Tim April, senior security architect at Akamai, says the biggest observed attacks involving WireX were in the range of around 1.1 million well-formed HTTP requests per minute. "With the nature of application layer attacks, [bandwidth per second] numbers are not as meaningful since these requests tend to result in much more server load than network volume," he says.

One of the distinct identifying markers of traffic from the botnet was the presence of a user-agent string containing all the characters of the English alphabet in lower case and in random order. A user-agent string is the header provided as part of the HTTP request from the user-agent or browser that the user interacts with to access Web content.

"The use of a consistent 26-character length seemingly random user agents is what initially caught our attention that this might be something particularly interesting," says Justin Paine, head of trust and safety at Cloudflare.

The fact that both Akamai and Cloudflare had seen the same types of attacks also was significant and contributed to the decision by the different organizations to work together to mitigate the threat, he says.

Many of the Android applications that were used to infect devices were designed to look like benign media and video players, ringtone apps, and storage managers. The applications had hidden features in them that would secretly connect to malicious command and control servers when users downloaded and ran the applications.

The malicious applications took advantage of certain legitimate features in the Android service architecture to launch attacks even when the applications were not in use.

Team Takedown

The most unique aspect of this event was how the industry came together to collaborate on the takedown, Nixon says. The type of information-sharing that went into the effort should serve as an example of how industry collaboration can work, she says. "When companies are under attack, they often go radio silent, but in truth that is the moment when they need to be sharing information the most."

Darren Spruell, threat researcher at RiskIQ, says that takedowns like this show how despite competing interests, many organizations regularly combine forces to combat criminal activity. "WireX abuse involves the global DNS, content delivery networks, malicious mobile apps, Web hosting and ads ecosystems," Spruell says.

In this instance, RiskIQ was able to provide insight gathered from its URL intelligence service, its external threats service, and community data gathered from customers, he says.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lancop
50%
50%
lancop,
User Rank: Apprentice
8/30/2017 | 10:11:28 AM
Great article! List of PlayStore apps that were taken down?
Vijay, another great article that is a heads up to every one of us in the network security field. Knowing how WireX was operating, how it was detected, and how it was disseminated, is a huge benefit from paying attention to DARKReading newsletters.

One more thing that I would like to know from you guys is: Where can I find a list of the Android PlayStore apps that were taken down as part of this WireX forensic investigation?

(I sure would like to know if I have any of these apps installed on my android devices, and I would like to advise my clients, family and friends about these poisoned apps.)

After the who, what , where, when, why and how, there is also an imperative to find out what ACTIONS to take next. Uninstalling infected apps is a clear next step, but where is the information & guidance on this?

Thanks for a very informative article. I always look forward to reading your work!

Regards,

Big Al
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable v...
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend pat...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fix...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provide...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially c...