Security researchers from at least seven major companies collaborated this month to subdue a DDoS botnet composed of compromised Android devices operating in more than 100 different countries.
Debuted WireX, the botnet is the work product of "Android Clicker," a mobile malware program whose purpose appears to have been changed from click fraud to volumetric DDoS attacks at the application layer. Affected device owners became infected after they downloaded malware-tainted apps, including roughly 300 found in the Google Play Store.
In emailed comments, Matthew Prince, co-founder and CEO of Cloudflare, called WireX "particularly significant" because it's "one of a handful of Android mobile device botnets used for DDoS attacks."
WireX first stirred to life on Aug. 2, as the botnet conducted minor DDoS tests that generally went unnoticed. According to data compiled from various sources, it was around Aug. 7 that the attacks began using larger numbers of devices, with more prolonged attacks beginning on Aug. 15. At their peak, the attacks leveraged anywhere from 70,000 to 120,000 unique IP addresses per hour in order to generate malicious traffic.
Most of the malicious traffic generated in the attacks was produced via HTTP GET requests, with some variants of Android Clicker issuing POST requests. "The attacks were in the range of 1.1 million well-formed HTTP/HTTPS requests per minute," said Tim April, senior security architect at Akamai Technologies, in an email interview.
At this point, security researchers were well aware of the threat and had begun noticing distinctive attack signatures. Around Aug. 17, experts from Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru, and other unnamed organizations banded together to share data on the attacks and launch a counteroffensive. Of this group, Akamai, Cloudflare, Flashpoint, and RiskIQ later collaborated on a joint blog post describing the WireX attack and subsequent investigation.
"The group had a real-time feed of attack targets and attack signatures that it was able to share with targeted organizations. Members of the group worked with the targets whenever possible to help them mitigate the attacks," said Justin Paine, head of trust and safety at Cloudflare, in an email interview. Paine noted that the targets were primarily companies providing hospitality, gambling, pornography, and domain name registrar services.
The group also informed Google that the malware was found in applications that were available in its app store, including media and video players, ringtone apps, and storage management tools. Generally, device owners wouldn't even realize something was amiss with the apps, which appeared benign despite their frequent communications with command-and-control servers and execution of DDoS attacks, sometimes even while running in the background.
Google quickly took action to remove those offenders. "We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we're in the process of removing them from all affected devices," the company asserted in a statement that was included in the joint blog post.
To further minimize the botnet's impact, "We also passed information to ISPs and network operators about confirmed infected DDoS bots on their networks," said Allison Nixon, director of security research at Flashpoint, in an email interview. The researchers have also been cooperating with law enforcement, including the FBI.
In comments provided to the media, the participating research companies were eager to espouse the benefits of cooperation between researchers and the public and private sectors, as demonstrated by this case.
“The WireX botnet operation shows the value of a collaborative response from security firms, service providers, and law enforcement,” said Darren Spruell, threat researcher at RiskIQ," in emailed comments.
