Attacks/Breaches

8/28/2017
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Massive Android DDoS Botnet Derailed

WireX was being used to launch DDoS attacks against targets in multiple industries; Google removes 300 botnet-related apps from Play Store.

Researchers from multiple organizations teamed up to disrupt a massive Android-device botnet dubbed WireX that was being used to launch distributed denial-of-service attacks against targets in a variety of industries including hospitality, gambling, porn, and domain name registrars.

Google, which was informed of the threat a few days ago has scrubbed its Play Store mobile app store clean of some 300 malicious Android apps that were being used to infect Android devices and co-opt them into the WireX botnet. The company is currently in the process of removing the malware from an undisclosed number of infected Android devices around the world.

WireX appears to have first surfaced on August 2 and remained unnoticed till August 15th when researchers from multiple security companies began observing it being used in prolonged DDoS attacks, some involving a minimum of 70,000 IP addresses. An analysis of the DDoS attack data showed that it came from infected devices in more than 100 countries.

Among those who collaborated in taking down the threat were Akamai, Flashpoint, Cloudflare, Oracle Dyn, RiskIQ, and Team Cymru.

In a joint blog post today, researchers from the company described WireX as a volumetric DDoS attack targeting the application layer. The traffic generated by the compromised Android devices was mostly comprised of HTTP GET requests that appeared to come from valid clients and web browsers. In some cases the traffic resembled HTTP POST requests as well.

The sheer size of the botnet and the fact it was comprised of infected mobile devices from as many as 100 different countries is somewhat unusual for modern DDoS attacks, the researchers said.

"This botnet is capable of pushing HTTPS, which exhausts even more resources than a regular HTTP flood," says Allison Nixon, director of security research at Flashpoint. "The size of the botnet is also extremely large, and both of these qualities are uncommon" in DDoS attacks, Nixon says.

Tim April, senior security architect at Akamai, says the biggest observed attacks involving WireX were in the range of around 1.1 million well-formed HTTP requests per minute. "With the nature of application layer attacks, [bandwidth per second] numbers are not as meaningful since these requests tend to result in much more server load than network volume," he says.

One of the distinct identifying markers of traffic from the botnet was the presence of a user-agent string containing all the characters of the English alphabet in lower case and in random order. A user-agent string is the header provided as part of the HTTP request from the user-agent or browser that the user interacts with to access Web content.

"The use of a consistent 26-character length seemingly random user agents is what initially caught our attention that this might be something particularly interesting," says Justin Paine, head of trust and safety at Cloudflare.

The fact that both Akamai and Cloudflare had seen the same types of attacks also was significant and contributed to the decision by the different organizations to work together to mitigate the threat, he says.

Many of the Android applications that were used to infect devices were designed to look like benign media and video players, ringtone apps, and storage managers. The applications had hidden features in them that would secretly connect to malicious command and control servers when users downloaded and ran the applications.

The malicious applications took advantage of certain legitimate features in the Android service architecture to launch attacks even when the applications were not in use.

Team Takedown

The most unique aspect of this event was how the industry came together to collaborate on the takedown, Nixon says. The type of information-sharing that went into the effort should serve as an example of how industry collaboration can work, she says. "When companies are under attack, they often go radio silent, but in truth that is the moment when they need to be sharing information the most."

Darren Spruell, threat researcher at RiskIQ, says that takedowns like this show how despite competing interests, many organizations regularly combine forces to combat criminal activity. "WireX abuse involves the global DNS, content delivery networks, malicious mobile apps, Web hosting and ads ecosystems," Spruell says.

In this instance, RiskIQ was able to provide insight gathered from its URL intelligence service, its external threats service, and community data gathered from customers, he says.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lancop
50%
50%
lancop,
User Rank: Apprentice
8/30/2017 | 10:11:28 AM
Great article! List of PlayStore apps that were taken down?
Vijay, another great article that is a heads up to every one of us in the network security field. Knowing how WireX was operating, how it was detected, and how it was disseminated, is a huge benefit from paying attention to DARKReading newsletters.

One more thing that I would like to know from you guys is: Where can I find a list of the Android PlayStore apps that were taken down as part of this WireX forensic investigation?

(I sure would like to know if I have any of these apps installed on my android devices, and I would like to advise my clients, family and friends about these poisoned apps.)

After the who, what , where, when, why and how, there is also an imperative to find out what ACTIONS to take next. Uninstalling infected apps is a clear next step, but where is the information & guidance on this?

Thanks for a very informative article. I always look forward to reading your work!

Regards,

Big Al
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6970
PUBLISHED: 2018-08-13
VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privil...
CVE-2018-14781
PUBLISHED: 2018-08-13
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolu...
CVE-2018-15123
PUBLISHED: 2018-08-13
Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.
CVE-2018-15124
PUBLISHED: 2018-08-13
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.
CVE-2018-15125
PUBLISHED: 2018-08-13
Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface.