Industry collaboration brings down WireX Android botnet
Industry collaboration between four cybersecurity firms and many independent researchers is being hailed as a success in catching a new botnet just three weeks after it appeared in early August.
The WireX botnet started compromising malicious Android application and roping infected devices into its DDoS traffic on August 2. On August 15, the botnet conducted longer attacks from at least 70,000 concurrent IP addresses.
By August 17, the botnet ramped up its attacks against multiple content providers and content delivery networks. This drew the attention of security firms, which decided to cooperate and eliminate the botnet.
“WireX abuse involves the global DNS, content delivery networks, malicious mobile apps, web hosting and the ads ecosystem,” comments RiskIQ threat researcher Darren Spruell.
Researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru and others conducted information sharing exercises – the likes of which demonstrate the power of collaboration, according to the companies.
Google removed the malware from Google Play a few days ago. It has also removed hundreds of applications from the store and is in the process of removing them from infected devices.
The infected applications included media and video players, ringtones or tools such as storage managers and app stores.
According to Cloudflare CEO Matthew Prince, the WireX botnet is one of a few Android botnets used for DDoS attacks.
“Cloudflare's mission is to help build a better Internet, and this time, the most effective way to protect Internet users as a whole involved cross-industry collaboration. I'm proud of our research team and the researchers who worked together to rapidly investigate and mitigate this dangerous new discovery," he explains.
The August 17 DDoS attack involved infected devices from more than 100 countries, which researchers say is uncharacteristic for botnets. The collaborative effort revealed connections between the attacking IPs and another malicious factor, suspected to be running on an Android system.
“A botnet of this extreme size is concerning for the sake of the Internet as a whole. I want to especially thank the organizations who are attacked with DDoS traffic and are kind enough to share detailed information about the attacks. These contributions are vitally important to dealing with these global threats,” comments Flashpoint's director of Security Research, Allison Nixon.
Nixon says that the group was able to connect the dots from the victim to the attacker, mitigate the attack and dismantle the botnet.
Researchers believe that the best things organisations can do when under DDoS attack is to share metrics related to the attack. Metrics can include packet captures, list of attack IPs, ransom notes, request headers and patterns of interest.
Researchers say they would never have been able to take down the botnet without industry collaboration.
"Only by truly understanding what's happening on the Internet are you able to make it safer. And trusted information sharing groups are one of the best ways to foster that understanding,” comments Akamai's senior network architect and security researcher Jared Mauch.
“In the case of the WireX botnet, a direct result of our information sharing and other research collaboration was our ability to fully uncover what made this malicious software tick in a much more timely manner. Working together to fight these threats benefits not only our collective customers, but also Internet users as a whole," Mauch concludes.