Security firms team up to neutralize WireX botnet after multiple DDoS attacks

Despite heavy competition in the security industry, researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle (Dyn), RiskIQ, Team Cymru, and others worked together to take down an Android-based botnet responsible for several DDoS attacks earlier this month.

On August 17, multiple CDNs (Content Delivery Networks) and content providers started to see significant attacks from a botnet that would later come to be known as WireX.

Further investigation revealed this botnet was also responsible for other minor attacks as early as August 2, but those went unnoticed at the time. These earlier attacks suggest the botnet’s code was still in an early development phase, but on August 15, the attacks started to ramp up. Around that time, some events were sourced to a minimum of 70,000 IP addresses.

According to a write-up seen by Salted Hash, WireX was pushing volumetric DDoS attacks at the application layer. The traffic generated by the botnet consisted primarily of HTTP GET requests, but analysis of the code suggests some variants could also do POST requests. In short, the attacks looked like valid requests from a number of generic HTTP clients and browsers. At one point, the bot was generating around 20,000 requests per second.

The Trust Group:

Two days after the WireX ramp-up, and after noticing a pattern in the User-Agent strings, researchers at Akamai started searching their logs. Digging deeper into the August 17 attack data, it was determined that more than 100 countries were involved, which is a bit unusual.

This uncharacteristic trait, in addition to the strange looking User-Agent strings, is what led Akamai’s researchers to believe other organizations might have seen or experienced similar attacks. Thus, they reached out to a few trusted contacts.

Given how competitive the security industry is, it isn’t often that stories of researchers from rival firms working together surface. When they do, they’re usually worth telling. Such stories also serve as a solid example of how close the security community is on some levels.

Believe it or not, having so many eyes on a problem like WireX wasn’t much of a hurdle.

“I am pleased to say it went a lot more smoothly then you might expect. The researchers involved have working relationships that pre-date and transcend our current employers, and we all have a cordial working relationship. Competition takes a back seat when we have much bigger issues to deal with,” explained Allison Nixon, the Director of Security Research at Flashpoint.

As mentioned, this isn’t the first time the group – including experts from Akamai, Cloudflare, Flashpoint, Google, Oracle (Dyn), RiskIQ, Team Cymru – have tackled such situations together.

Jared Mauch, a group member who does internetworking research and architecture for Akamai, said they worked on the Mirai attacks as well, and tend to collaborate “based on common threats, bringing in trusted and knowledgeable colleagues.”

“This particular trust group has come together several times in the past to address significant events that have threatened the Internet (Mirai, WannaCry, and NotPetya),” added Justin Paine, the head of Trust & Safety at Cloudflare.

Once the trust group started working, things quickly started to unravel for WireX.

Snipping WireX:

Tim April, a senior security architect at Akamai, said the August 17 attack targeted one of their customers. Once Akamai’s engineers started investigating, they turned to Cloudflare and discovered customers over there had been attacked as well.

“We pooled our collective knowledge about these attacks which led to the discovery of the likely infection source. Akamai was able to locate the specific malicious applications, and Cloudflare worked to decompile those applications so the research group could investigate further,” explained Paine.

Akamai had discovered that the source of the attacks were malicious Android applications, which on the surface appeared harmless to the users that had installed them. Most of the apps took advantage of the Android service architecture, allowing them to use resources and conduct attacks even if the application itself isn’t in use.

The names of the applications were nonsense strings, the researchers said. These strings, such as xryufrix and ggnegmth, were likely intended to help the malware’s authors avoid recognition on app stores.

Moreover, the developer names on the apps were also slightly different across instances including TubeMate 2.2.9 YouTube Downloader PRO and TubeMate 2.2.9 SnapTube Youtube Downloader R, as well as similar names using different ending letters per instance including J, I, X and Z.

“It’s possible older apps predating the current series of DDoS enabled malware may have used names with game themes such as Motorcycle Racing Fast,” the researchers said.

“Malware APK packages also show randomized, bogus names such as com.urrhiccq.app, com.fstnnzbb.app, and com.casa.blanca.”

There were a few cases where the apps behind WireX were found in well-known app stores, like Google Play. The trust group reached out to these stores and helped coordinate cleanup.

“We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices. The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere,” a Google spokesperson said.

Once the WireX code was decompiled, Paine explained, the group was able to locate the C&C (command and control) servers, which were hard-coded into the applications.

“Cloudflare also had visibility on the command and control server that enabled us to track the size of the botnet as it grew in size. Cloudflare researchers have actively been mapping out additional botnet infrastructure as well,” Paine added.

When signs connecting WireX to online advertising started to emerge, the trust group reached out to RiskIQ for a closer look.

“Indeed, one of the payloads of the mobile malware driving the botnet is click-fraud, and the web sites utilized by the suspected operator of the botnet were found in earlier days to be utilized for online ad services,” explained Darren Spruell, a threat researcher at RiskIQ.

Interestingly enough, anti-Virus giant McAfee reported on a number of click-fraud applications that were observed on Google Play just last week. While the security firm’s report on the apps details some of the code fully, it appears they completely missed the connection between the apps they discovered and WireX. The McAfee report says the apps appeared on August 4 and were removed a few days later.

As far as the researchers know, no previous coverage of this malware has highlighted the occurrence of the DDoS attacks. However, they added, any analysis shared with the community is valuable.

“We credit direct involvement of service network providers in response to WireX, along with contributions of specific members of the working group in reverse engineering the Android apps to uncover the code behind this functionality,” the group said in a statement.

Update: Salted Hash reached out to McAfee. A spokesperson said they were aware of the DDoS aspects, but didn’t discuss them as part of a safe disclosure process.

“McAfee was aware of the DDoS aspects of these click-fraud apps, but chose to hold off discussing them publicly as part of a safe disclosure process. The initial blog was to reassure our customers that McAfee has a protection in the field for those who were still at risk. Once the takedown has been carried out to its completion, McAfee will release a follow up blog with additional information on the evolution of threats on Google Play and how DDoS played a role in this threat.”

As of today, WireX isn’t completely dead, but the trust group says it’s largely neutralized.

The group is working closely with law enforcement and the private sector who have the ability to take action. In a statement to Salted Hash, the group said that while the C&C is still able to propagate, “the effective size of the botnet has been significantly reduced and attack impacts are being minimized.”

“The malicious actor would not only have to rebuild their entire botnet, but they would have to evade new security measures in order to once again have control of such a large botnet. This would not be easy right now due to the vigilance of everyone involved. Researchers are currently working with law enforcement to take other actions to further impact the botnet operations.”

Information sharing can get things done:

“These discoveries were only possible due to open collaboration between DDoS targets, DDoS mitigation companies, and intelligence firms. Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery,” the researchers said in a write-up on WireX, which will be posted to all of their respective corporate blogs today.

The best thing organizations can do, the write-up goes on to say, is share anonymized detailed metrics – packet captures, attacking IP logs, ransom notes, request headers, and patterns of interest – and provide permission for the data to be shared with vendors and their trusted contacts.

“This report is an example of how informal sharing can have a dramatically positive impact for the victims and the Internet as a whole. Cross-organizational cooperation is essential to combat threats to the Internet and, without it, criminal schemes can operate without examination.”