A coalition of researchers has revealed details about a joint effort by Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru and other organisations to take down the WireX botnet.
On 17 August, a number of CDNs and content providers were subjected to distributed denial of service (DDos) attacks attributed to a botnet dubbed WireX. WireX was largely powered by Android devices that had installed malware masquerading as legitimate apps in Google’s Play Store and a number of other app marketplaces.
In a blog entry posted by CDN provider Akamai, the group of researchers reveals that WireX staged a number of minor attacks as early as 2 August, followed by a series of more prolonged attacks beginning on 15 August.
HTTP GET requests were the primary form of traffic generated by WireX, though the researchers said some variants may be capable of issuing POST requests.
The 17 August attacks involved traffic from devices in more than 100 countries.
The geographic distribution of the attacking IP addresses along with a set of distinctive User-Agent strings “led the researchers who began the initial investigation to believe that other organizations may have seen or would be likely to experience similar attacks,” the blog entry states.
“The researchers reached out to peers in other organizations for verification of what they were seeing.
“Once the larger collaborative effort began, the investigation began to unfold rapidly starting with the investigation of historic log information, which revealed a connection between the attacking IPs and something malicious, possibly running on top of the Android operating system.”
The Mirai botnet that targeted routers has had a positive impact on boosting groups to share information on attacks, the researchers said.
The researchers identified a range of Android apps hosted in a number of app marketplaces, including the Play Store, with many of them masquerading as media players, ringtones or tools. Google identified around 300 apps associated with WireX, blocking them from the Play Store and then systematically removing them from devices.
The researchers argued that the discovery, analysis and mitigation of the botnet show the value of open collaboration between DDoS targets, DDoS mitigation companies, and intelligence firms.
“Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery,” the blog entry states.
“The best thing that organizations can do when under a DDoS attack is to share detailed metrics related to the attack. With this information, those of us who are empowered to dismantle these schemes can learn much more about them than would otherwise be possible.”
"Only by truly understanding what's happening on the Internet are you able to make it safer,” said Jared Mauch, an Akamai senior network architect and security researcher. “And trusted information sharing groups are one of the best ways to foster that understanding.”
“In the case of the WireX botnet, a direct result of our information sharing and other research collaboration was our ability to fully uncover what made this malicious software tick in a much more timely manner,” Mauch said.
“Cloudflare worked in collaboration with industry partners to identify and take steps to disrupt the very dangerous WireX botnet,” said Matthew Prince, the CEO of CDN provider Cloudflare. “The WireX botnet is particularly significant as it's one of a handful of Android mobile device botnets used for DDoS attacks.”.