Attacks/Breaches

8/28/2017
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Massive Android DDoS Botnet Derailed

WireX was being used to launch DDoS attacks against targets in multiple industries; Google removes 300 botnet-related apps from Play Store.

Researchers from multiple organizations teamed up to disrupt a massive Android-device botnet dubbed WireX that was being used to launch distributed denial-of-service attacks against targets in a variety of industries including hospitality, gambling, porn, and domain name registrars.

Google, which was informed of the threat a few days ago has scrubbed its Play Store mobile app store clean of some 300 malicious Android apps that were being used to infect Android devices and co-opt them into the WireX botnet. The company is currently in the process of removing the malware from an undisclosed number of infected Android devices around the world.

WireX appears to have first surfaced on August 2 and remained unnoticed till August 15th when researchers from multiple security companies began observing it being used in prolonged DDoS attacks, some involving a minimum of 70,000 IP addresses. An analysis of the DDoS attack data showed that it came from infected devices in more than 100 countries.

Among those who collaborated in taking down the threat were Akamai, Flashpoint, Cloudflare, Oracle Dyn, RiskIQ, and Team Cymru.

In a joint blog post today, researchers from the company described WireX as a volumetric DDoS attack targeting the application layer. The traffic generated by the compromised Android devices was mostly comprised of HTTP GET requests that appeared to come from valid clients and web browsers. In some cases the traffic resembled HTTP POST requests as well.

The sheer size of the botnet and the fact it was comprised of infected mobile devices from as many as 100 different countries is somewhat unusual for modern DDoS attacks, the researchers said.

"This botnet is capable of pushing HTTPS, which exhausts even more resources than a regular HTTP flood," says Allison Nixon, director of security research at Flashpoint. "The size of the botnet is also extremely large, and both of these qualities are uncommon" in DDoS attacks, Nixon says.

Tim April, senior security architect at Akamai, says the biggest observed attacks involving WireX were in the range of around 1.1 million well-formed HTTP requests per minute. "With the nature of application layer attacks, [bandwidth per second] numbers are not as meaningful since these requests tend to result in much more server load than network volume," he says.

One of the distinct identifying markers of traffic from the botnet was the presence of a user-agent string containing all the characters of the English alphabet in lower case and in random order. A user-agent string is the header provided as part of the HTTP request from the user-agent or browser that the user interacts with to access Web content.

"The use of a consistent 26-character length seemingly random user agents is what initially caught our attention that this might be something particularly interesting," says Justin Paine, head of trust and safety at Cloudflare.

The fact that both Akamai and Cloudflare had seen the same types of attacks also was significant and contributed to the decision by the different organizations to work together to mitigate the threat, he says.

Many of the Android applications that were used to infect devices were designed to look like benign media and video players, ringtone apps, and storage managers. The applications had hidden features in them that would secretly connect to malicious command and control servers when users downloaded and ran the applications.

The malicious applications took advantage of certain legitimate features in the Android service architecture to launch attacks even when the applications were not in use.

Team Takedown

The most unique aspect of this event was how the industry came together to collaborate on the takedown, Nixon says. The type of information-sharing that went into the effort should serve as an example of how industry collaboration can work, she says. "When companies are under attack, they often go radio silent, but in truth that is the moment when they need to be sharing information the most."

Darren Spruell, threat researcher at RiskIQ, says that takedowns like this show how despite competing interests, many organizations regularly combine forces to combat criminal activity. "WireX abuse involves the global DNS, content delivery networks, malicious mobile apps, Web hosting and ads ecosystems," Spruell says.

In this instance, RiskIQ was able to provide insight gathered from its URL intelligence service, its external threats service, and community data gathered from customers, he says.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lancop
50%
50%
lancop,
User Rank: Apprentice
8/30/2017 | 10:11:28 AM
Great article! List of PlayStore apps that were taken down?
Vijay, another great article that is a heads up to every one of us in the network security field. Knowing how WireX was operating, how it was detected, and how it was disseminated, is a huge benefit from paying attention to DARKReading newsletters.

One more thing that I would like to know from you guys is: Where can I find a list of the Android PlayStore apps that were taken down as part of this WireX forensic investigation?

(I sure would like to know if I have any of these apps installed on my android devices, and I would like to advise my clients, family and friends about these poisoned apps.)

After the who, what , where, when, why and how, there is also an imperative to find out what ACTIONS to take next. Uninstalling infected apps is a clear next step, but where is the information & guidance on this?

Thanks for a very informative article. I always look forward to reading your work!

Regards,

Big Al
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.