sb-as logo
Story image

Industry collaboration brings down WireX Android botnet

29 Aug 2017

Industry collaboration between four cybersecurity firms and many independent researchers is being hailed as a success in catching a new botnet just three weeks after it appeared in early August.

The WireX botnet started compromising malicious Android application and roping infected devices into its DDoS traffic on August 2. On August 15, the botnet conducted longer attacks from at least 70,000 concurrent IP addresses.

By August 17, the botnet ramped up its attacks against multiple content providers and content delivery networks. This drew the attention of security firms, which decided to cooperate and eliminate the botnet.

“WireX abuse involves the global DNS, content delivery networks, malicious mobile apps, web hosting and the ads ecosystem,” comments RiskIQ threat researcher Darren Spruell.

Researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru and others conducted information sharing exercises – the likes of which demonstrate the power of collaboration, according to the companies.

Google removed the malware from Google Play a few days ago. It has also removed hundreds of applications from the store and is in the process of removing them from infected devices.

The infected applications included media and video players, ringtones or tools such as storage managers and app stores.

According to Cloudflare CEO Matthew Prince, the WireX botnet is one of a few Android botnets used for DDoS attacks.

“Cloudflare's mission is to help build a better Internet, and this time, the most effective way to protect Internet users as a whole involved cross-industry collaboration. I'm proud of our research team and the researchers who worked together to rapidly investigate and mitigate this dangerous new discovery," he explains.

The August 17 DDoS attack involved infected devices from more than 100 countries, which researchers say is uncharacteristic for botnets. The collaborative effort revealed connections between the attacking IPs and another malicious factor, suspected to be running on an Android system.

“A botnet of this extreme size is concerning for the sake of the Internet as a whole. I want to especially thank the organizations who are attacked with DDoS traffic and are kind enough to share detailed information about the attacks. These contributions are vitally important to dealing with these global threats,” comments Flashpoint’s director of Security Research, Allison Nixon.

Nixon says that the group was able to connect the dots from the victim to the attacker, mitigate the attack and dismantle the botnet.

Researchers believe that the best things organisations can do when under DDoS attack is to share metrics related to the attack. Metrics can include packet captures, list of attack IPs, ransom notes, request headers and patterns of interest.

Researchers say they would never have been able to take down the botnet without industry collaboration.

"Only by truly understanding what's happening on the Internet are you able to make it safer. And trusted information sharing groups are one of the best ways to foster that understanding,” comments Akamai’s senior network architect and security researcher Jared Mauch.

“In the case of the WireX botnet, a direct result of our information sharing and other research collaboration was our ability to fully uncover what made this malicious software tick in a much more timely manner. Working together to fight these threats benefits not only our collective customers, but also Internet users as a whole," Mauch concludes.

Story image
Mobile devices biggest enterprise security threat - report
Businesses have left themselves vulnerable and open to cyber criminals in the rush to ensure their workforce could operate remotely during the Covid-19 pandemic.More
Story image
AvePoint brings Salesforce Cloud Backup to channel partners
The product adds to the AvePoint suite of trusted Cloud Backup for Microsoft 365 and Dynamics 365 to provide managed service providers with backup and restore capabilities across multiple, popular SaaS providers.More
Story image
Zscaler expands CIEM solutions with Trustdome acquisition
Zscaler, the cloud security company, has officially entered into a definitive agreement to acquire Trustdome, a Cloud Infrastructure Entitlement Management (CIEM) company.More
Story image
NVIDIA takes AI into the heart of cybersecurity with Morpheus
The Morpheus application framework will provide security partners with AI-enhanced tools that can detect and prevent security threats.More
Story image
Egnyte ensures greater security across Microsoft 365 with latest integrations
The new integrations are aimed at helping mid-sized organisations prevent data loss, address a growing number of regional privacy regulations, and simplify the overall management of content with minimal administrative overhead.More
Story image
COVID-19-themed threats, Powershell malware continue surge
“The world—and enterprises—adjusted amidst pandemic restrictions and sustained remote work challenges, while security threats continued to evolve in complexity and increase in volume."More