Researchers from multiple organizations teamed up to disrupt a massive Android-device botnet dubbed WireX that was being used to launch distributed denial-of-service attacks against targets in a variety of industries including hospitality, gambling, porn, and domain name registrars.
Google, which was informed of the threat a few days ago has scrubbed its Play Store mobile app store clean of some 300 malicious Android apps that were being used to infect Android devices and co-opt them into the WireX botnet. The company is currently in the process of removing the malware from an undisclosed number of infected Android devices around the world.
WireX appears to have first surfaced on August 2 and remained unnoticed till August 15th when researchers from multiple security companies began observing it being used in prolonged DDoS attacks, some involving a minimum of 70,000 IP addresses. An analysis of the DDoS attack data showed that it came from infected devices in more than 100 countries.
Among those who collaborated in taking down the threat were Akamai, Flashpoint, Cloudflare, Oracle Dyn, RiskIQ, and Team Cymru.
In a joint blog post today, researchers from the company described WireX as a volumetric DDoS attack targeting the application layer. The traffic generated by the compromised Android devices was mostly comprised of HTTP GET requests that appeared to come from valid clients and web browsers. In some cases the traffic resembled HTTP POST requests as well.
The sheer size of the botnet and the fact it was comprised of infected mobile devices from as many as 100 different countries is somewhat unusual for modern DDoS attacks, the researchers said.
"This botnet is capable of pushing HTTPS, which exhausts even more resources than a regular HTTP flood," says Allison Nixon, director of security research at Flashpoint. "The size of the botnet is also extremely large, and both of these qualities are uncommon" in DDoS attacks, Nixon says.
Tim April, senior security architect at Akamai, says the biggest observed attacks involving WireX were in the range of around 1.1 million well-formed HTTP requests per minute. "With the nature of application layer attacks, [bandwidth per second] numbers are not as meaningful since these requests tend to result in much more server load than network volume," he says.
One of the distinct identifying markers of traffic from the botnet was the presence of a user-agent string containing all the characters of the English alphabet in lower case and in random order. A user-agent string is the header provided as part of the HTTP request from the user-agent or browser that the user interacts with to access Web content.
"The use of a consistent 26-character length seemingly random user agents is what initially caught our attention that this might be something particularly interesting," says Justin Paine, head of trust and safety at Cloudflare.
The fact that both Akamai and Cloudflare had seen the same types of attacks also was significant and contributed to the decision by the different organizations to work together to mitigate the threat, he says.
Many of the Android applications that were used to infect devices were designed to look like benign media and video players, ringtone apps, and storage managers. The applications had hidden features in them that would secretly connect to malicious command and control servers when users downloaded and ran the applications.
The malicious applications took advantage of certain legitimate features in the Android service architecture to launch attacks even when the applications were not in use.
The most unique aspect of this event was how the industry came together to collaborate on the takedown, Nixon says. The type of information-sharing that went into the effort should serve as an example of how industry collaboration can work, she says. "When companies are under attack, they often go radio silent, but in truth that is the moment when they need to be sharing information the most."
Darren Spruell, threat researcher at RiskIQ, says that takedowns like this show how despite competing interests, many organizations regularly combine forces to combat criminal activity. "WireX abuse involves the global DNS, content delivery networks, malicious mobile apps, Web hosting and ads ecosystems," Spruell says.
In this instance, RiskIQ was able to provide insight gathered from its URL intelligence service, its external threats service, and community data gathered from customers, he says.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio