sb-as logo
Story image

Industry collaboration brings down WireX Android botnet

29 Aug 2017

Industry collaboration between four cybersecurity firms and many independent researchers is being hailed as a success in catching a new botnet just three weeks after it appeared in early August.

The WireX botnet started compromising malicious Android application and roping infected devices into its DDoS traffic on August 2. On August 15, the botnet conducted longer attacks from at least 70,000 concurrent IP addresses.

By August 17, the botnet ramped up its attacks against multiple content providers and content delivery networks. This drew the attention of security firms, which decided to cooperate and eliminate the botnet.

“WireX abuse involves the global DNS, content delivery networks, malicious mobile apps, web hosting and the ads ecosystem,” comments RiskIQ threat researcher Darren Spruell.

Researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru and others conducted information sharing exercises – the likes of which demonstrate the power of collaboration, according to the companies.

Google removed the malware from Google Play a few days ago. It has also removed hundreds of applications from the store and is in the process of removing them from infected devices.

The infected applications included media and video players, ringtones or tools such as storage managers and app stores.

According to Cloudflare CEO Matthew Prince, the WireX botnet is one of a few Android botnets used for DDoS attacks.

“Cloudflare's mission is to help build a better Internet, and this time, the most effective way to protect Internet users as a whole involved cross-industry collaboration. I'm proud of our research team and the researchers who worked together to rapidly investigate and mitigate this dangerous new discovery," he explains.

The August 17 DDoS attack involved infected devices from more than 100 countries, which researchers say is uncharacteristic for botnets. The collaborative effort revealed connections between the attacking IPs and another malicious factor, suspected to be running on an Android system.

“A botnet of this extreme size is concerning for the sake of the Internet as a whole. I want to especially thank the organizations who are attacked with DDoS traffic and are kind enough to share detailed information about the attacks. These contributions are vitally important to dealing with these global threats,” comments Flashpoint’s director of Security Research, Allison Nixon.

Nixon says that the group was able to connect the dots from the victim to the attacker, mitigate the attack and dismantle the botnet.

Researchers believe that the best things organisations can do when under DDoS attack is to share metrics related to the attack. Metrics can include packet captures, list of attack IPs, ransom notes, request headers and patterns of interest.

Researchers say they would never have been able to take down the botnet without industry collaboration.

"Only by truly understanding what's happening on the Internet are you able to make it safer. And trusted information sharing groups are one of the best ways to foster that understanding,” comments Akamai’s senior network architect and security researcher Jared Mauch.

“In the case of the WireX botnet, a direct result of our information sharing and other research collaboration was our ability to fully uncover what made this malicious software tick in a much more timely manner. Working together to fight these threats benefits not only our collective customers, but also Internet users as a whole," Mauch concludes.

Story image
OT networks warned of vulnerabilities in CodeMeter software
Manufacturers using the Wibu-Systems CodeMeter third-party licence management solution are being urged to remain vigilant and to urgently update the solution to CodeMeter version 7.10.More
Story image
Shlayer malware proves Apple devices aren't as secure as you think
"Apple never talks about malware publicly, and loves to give the impression that its systems are secure. Unfortunately, the opposite has been proven to be the case with great regularity."More
Story image
75% of IT execs 'worried' about being targeted in cyber-attack
A new report from ConnectWise has shed light on the widespread concern about cyber-attacks, with 91% of SMB executives considering a move to an MSP if it provided the 'right' solution.More
Story image
Sophos named mobile security Leader in IDC MarketScape
Sophos Intercept X for Mobile has capabilities in protecting Android, iOS and Chrome OS users from known and never before seen mobile threats.More
Story image
Malware and email scams targeting employees spread rapidly in Q2
"Businesses must stay alert and should employ defense-in-depth tactics and equip themselves with multilayered security mechanisms, including high-sensor spam filters and a VPN connection, which would prevent malicious pages from opening."More
Story image
Five security challenges for the Enterprise of Things
Many enterprise networks aren't adequately managed, creating risk for businesses that don’t have full visibility into all of the devices on their network, writes Forescout regional director for A/NZ Rohan Langdon.More